Cloud Edge Secure Access Getting Started Guide
- Cloud Edge Secure Access
- Welcome to SonicWall Cloud Edge!
- Prerequisites
- Installation
- Networks
- Groups and Members
- Securing the Platform
- Monitoring
- Compliance
- SonicWall Support
Google Cloud Platform
This article describes how to establish a Site-To-Site IPSEC VPN connection between Google Cloud Platform (GCP) and SonicWall Cloud Edge.
- Initial Google Cloud platform configuration
- SonicWall Cloud Edge Platform configurations
- Configuring the routing rules to the VPC network
- Allowing incoming connections from the SonicWall Cloud Edge local network using firewall rules
Please follow the steps below:
Initial Google Cloud platform configuration
GCP includes few steps throughout the configuration and needs to be applied for every VPC.
-
Create Virtual Private Gateway.
- Go to the Hybrid Connectivity in the Google Cloud Platform Console.
-
Under the left menu go to VPN, select Cloud VPN Gateways, then create VPN Gateway.
- Select Classic VPN.
-
Fill in the following information:
- Name: Enter a name of your choice.
- Network: Select default or a specific VPC.
- Region: Preferably the region in which your resources lie.
- IP Address: Create an IP address that will serve to connect your gateway.
-
Create a Tunnel
-
Scroll to the lower part of the page. Fill in the following information:
- Name: Enter a name of your choice.
-
Remote peer IP address: Enter your SonicWall Cloud Edge Gateway IP (to obtain this, open the SonicWall Cloud Edge Platform, and under Network select the network that contains the gateway to which you'd like to create a tunnel).
-
IKE Version: IKEv2
- IKE pre-shared key: Select Generate and copy or choose a key of your own and write it down.
- Routing options: Route-based
- Remote network IP ranges: 10.255.0.0/16 (unless customized)
- Select Done, then Create.
-
SonicWall Cloud Edge Platform configurations
- Enter the SonicWall Cloud Edge Management Platform. Under the Networks tab in the left menu, select the name of the network in which you'd like to set the tunnel.
-
Locate the desired gateway, select the three-dotted menu (...), select Add Tunnel, and then IPSec Site-2-Site Tunnel.
-
Fill in the following information:
- Name: Enter a name of your choice.
- Shared Secret: Enter the same IKE pre-shared key you inserted or generated in the Google Cloud Console.
- Public IP: Enter the VPN Gateway IP from the Google Cloud Console.
-
Remote Gateway Proposal Subnets: Select Specified Subnets. Copy the subnets of the regions where your resources are installed. This can be queried in the Google Cloud Console here:
-
Fill in the Advanced Settings:
- IKE Version: V2
- IKE Lifetime: 8h
- Tunnel Lifetime: 1h
- Dead Peer Detection Delay: 10s
- Dead Peer Detection Timeout: 30s
- Encryption(Phase 1): aes256
- Encryption(Phase 2): aes256
- Integrity (Phase 1): sha1
- Integrity (Phase 2): sha1
- Diffie-Hellman Groups (Phase 1): 2
- Diffie-Hellman Groups (Phase 2): 2
Configuring the routing rules to the VPC network
-
Go to the VPC Network in the Google Cloud Platform Console. Under the left menu go to Routes.
-
Select Create Route Rule and fill in the following information:
- Name: The name of the VPN gateway.
- Network: The VPC network containing the instances that the VPN gateway will serve (should be the same network as selected in the previous steps).
- Destination Network IP range: Specify 10.255.0.0/16 (or customized)
- Priority: 1000
- Next hop: Select Specify VPN Tunnel.
- Next hop VPN tunnel: Select the VPN tunnel you created in the previous steps.
- Select Create.
Allowing incoming connections from the local network using firewall rules
- Go to the VPC Network in the Google Cloud Platform Console.
-
Under the left menu go to Firewall Rules.
-
Select Create Firewall Rule and fill in the following information:
- Name: Enter a name of your choice.
- Logs: Off
- Network: The VPC network containing the instances the VPN gateway will serve (should be the same network as selected in the previous steps).
- Priority: 1000
- The direction of traffic should be Ingress.
- Action on match: allow
- Target tags: optional
- Source filter: IP Ranges
- Source IP ranges: 10.255.0.0/16 (unless customized)
- Second source filter: none
- Allowed protocols or ports: all
Was This Article Helpful?
Help us to improve our support portal