Unified Access Gateway PowerShell Deployment to Google Cloud Platform
Technical Note Unified Access Gateway 2103 Unified Access Gateway PowerShell Deployment to Google Cloud Platform
You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/
VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com
© Copyright 2021 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc. 2 Contents
1 Introduction 4
2 Prepare the Windows Client Machine for PowerShell Deployment 5
3 Prepare the Google Cloud Platform Environment 6
4 Upload the Unified Access Gateway Image to Google Cloud Platform 8
5 Prepare an .ini File for Deploying Unified Access Gateway to Google Cloud Platform 10
6 Deploy Unified Access Gateway to Compute Engine 18
VMware, Inc. 3 Introduction 1
The technical note describes the steps required to prepare the Google Cloud Platform environment before creating any Unified Access Gateway instances. PowerShell commands are used to deploy Unified Access Gateway 2103 or later to Compute Engine within Google Cloud Platform.
This documentation also provides the details of the .ini file that contains the configuration settings and shows how to run the PowerShell command, which is used to deploy Unified Access Gateway to Google Cloud Platform.
These are general guidelines for deploying Unified Access Gateway on the Google Cloud Platform.
The technical note assumes that you are familiar with Google Cloud Platform and Compute Engine concepts and have the necessary permissions to create or modify resources such as images, VPC network, subnet, firewall rules, and so on in the Google Cloud project.
For information about Unified Access Gateway, see the Deploying and Configuring VMware Unified Access Gateway documentation at VMware Docs. For information about the Google Cloud Platform and Compute Engine features, see the Google Cloud Platform documentation.
VMware, Inc. 4 Prepare the Windows Client Machine for PowerShell Deployment 2
Unified Access Gateway is deployed on the Google Cloud Platform by running commands and scripts at a Windows PowerShell command prompt. For these scripts to run, Google Cloud utilities must be installed on the Windows Client machine.
Prerequisites
Ensure that you perform the instructions listed in this section on a Windows 10 machine that has access to the Internet.
Important Other Windows operating systems might be supported but the instructions documented in this section are for Windows 10.
Procedure
1 Install gsutil.
For instructions about installing the gsutil tool, see https://cloud.google.com/storage/docs/ gsutil_install.
2 Open the PowerShell command window with administrative rights.
3 Run the following command:
Install-Package 7Zip4PowerShell
What to do next
Prepare the Google Cloud Platform environment.
VMware, Inc. 5 Prepare the Google Cloud Platform Environment 3
For Unified Access Gateway deployment to Google Cloud Platform, a Google Cloud project must be used and this project must be configured with VPC networks, the corresponding subnet networks, and firewall rules.
Prerequisites n Ensure that you are aware of the Google Cloud Platform concepts. n Ensure that you have the necessary permissions to create or modify resources such as images, VPC network, subnet, firewall rules, and so on in the Google Cloud project. n Compute Engine API must be enabled.
Procedure
1 Use a Google Cloud project.
Option Action
New project a In the Google Cloud Console, navigate to the Project Selector page. b Create a Google Cloud project.
Existing project If a project is already available and active, you can use the existing project.
2 Create a Virtual Private Cloud (VPC) network for each NIC.
Each NIC on the Unified Access Gateway uses a unique VPC network and subnet within that network.
If you choose not to create a VPC network, only a single NIC Unified Access Gateway can be deployed. The Unified Access Gateway appliance when deployed in the Compute Engine uses the default VPC network available in the Google Cloud Platform.
For example: In the following image, two VPC networks, uag-front-vpc and uag-back-vpc, are created in the Google Cloud Console. These VPC networks have uag-front-network and uag- back-network as subnets respectively. A Unified Access Gateway twonic appliance can be deployed to use these two subnets for front-end Internet facing and a separate subnet network for back-end connections.
VMware, Inc. 6 Unified Access Gateway PowerShell Deployment to Google Cloud Platform
3 Make a note of the subnet name created.
The subnet name within a VPC network is used in the .ini file while deploying Unified Access Gateway by using PowerShell.
4 To allow TCP and UDP port access to Unified Access Gateway appliances in the Internet accessible VPC, create the required number of firewall entries.
Important SSH remote access to Unified Access Gateway on TCP port 22 from the Internet must be carefully restricted on the firewall. If SSH access is needed, the firewall rule must allow this access from a specific source IP address only or from a jump box virtual machine in the cloud from which access can be controlled.
For example: In the following Google Cloud Console image, a firewall rule named uag-horizon- protocols is created in the internet facing VPC network uag-front-vpc. This firewall rule applies to all the instances connected to uag-front-vpc network and allows inbound TCP and UDP traffic on specified ports from the public internet.
VMware, Inc. 7 Upload the Unified Access Gateway Image to Google Cloud Platform 4
To deploy a Unified Access Gateway instance to the Compute Engine, you must upload a Unified Access Gateway appliance disk image to the Google Cloud Platform.
Procedure
1 Download the Unified Access Gateway.ova image file, version 2103 or later, from the VMware Downloads page.
2 Open a PowerShell command window and run the following command to extract the .vmdk file from the previously downloaded .ova file:
expand-7zip ova-filename target-location
n ova-filename is the .ova image file which is downloaded from the VMware Downloads page in an earlier step.
n target-location is the location to which the .vmdk file is extracted.
For example: euc-unified-access-gateway-21.03.0.0-42741891_OVF10.ova is downloaded from the VMware Downloads page, where 21-03 is the version number and 42741891 is the build number.
To extract the .vmdk file to C:\temp, use the following command:
expand-7zip C:\temp\euc-unified-access-gateway-21.03.0.0-42741891_OVF10.ova C:\temp\
3 Set the following variables: image name ( $gcImageFile), image folder ( $gcImageFolder), and image file ( $gcImageFile).
$gcImageFile is set with the extracted .vmdk file name. $gcImageFile is uploaded to the Google Cloud storage bucket.
For example:
$gcImageFolder="C:\temp" $gcImageFile="euc-unified-access-gateway-21.03.0.0-42741891-system.vmdk"
VMware, Inc. 8 Unified Access Gateway PowerShell Deployment to Google Cloud Platform
$gcBucket="uag-appliance-images" $gcImageName=$gcImageFile.Replace("-system.vmdk","").Replace(".", "-") gcloud auth login gcloud config set project "my-project"
4 Create a Google Cloud storage bucket by using the following command:
gsutil mb -l us-east1 gs://$gcBucket
Alternately, you can use an existing Google Cloud storage bucket.
5 Upload the .vmdk image to the Google Cloud storage bucket by using the following command:
gsutil cp $gcImageFolder\$gcImageFile gs://$gcBucket
6 Create the appliance image in the Compute Engine from the uploaded .vmdk by using the following command:
gcloud compute images import $gcImageName --source-file gs://$gcBucket/$gcImageFile --data-disk
Considering the example mentioned in the previous steps, the appliance image created in the Compute Engine is euc-unified-access-gateway-21-03-0-0-42741891 where 21-03 is the version number and 42741891 is the build number.
VMware, Inc. 9 Prepare an .ini File for Deploying Unified Access Gateway to Google Cloud Platform 5
The Compute Engine PowerShell deployment script for Unified Access Gateway reads all configuration settings from a .ini configuration file. This section describes the .ini file format and shows examples of the settings that can be used for the deployment.
Most sections of the .ini file are identical to the standard .ini settings for Unified Access Gateway as supported for all the other hypervisor deployments.
For more information about the .ini file, see the Using PowerShell to Deploy the Unified Access Gateway Appliance section in the Deploying and Configuring VMware Unified Access Gateway documentation at VMware Docs.
1 In the .ini file, add a new group, [GoogleCloud] and the necessary settings specific to Google Cloud Platform.
Note For Google Cloud Platform deployments, the following settings in the General section are not used:
n diskMode
n ds
n folder
n netInternet
n netManagementNetwork
n netmask0
n netmask1
n netmask2
n netBackendNetwork
n source
n target
n All IPv4 settings
n All IPv6 settings
VMware, Inc. 10 Unified Access Gateway PowerShell Deployment to Google Cloud Platform
The following table lists the settings (Value Name) that are required for the Google Cloud Platform deployment. The table also includes examples and indicates which of these settings are mandatory and optional.
Group Value Name Example Description Mandatory/Optional
[GoogleCloud] projectId projectId=my- The Google Cloud Optional project Platform project ID used for creating a new Unified Access Gateway instance. If the project ID is not provided, the project from active configuration in the Cloud SDK is used.
imageName imageName=euc- Name of the Mandatory unified-access- imported appliance gateway-21-03-0-0-42 image in the 741891 Compute Engine from which a new instance must be created.
machineType machineType=e2- Indicates the Optional standard-4 Compute Engine machine type. Default value of machineType is e2- standard-4.
Note Ensure that the machineType specified is appropriate for the number of Unified Access Gateway NICs required.
For example: e2- standard-2 supports onenic or twonic deployments but not threenic. For more information, see https:// cloud.google.com/vp c/docs/create-use- multiple- interfaces#max- interfaces.
VMware, Inc. 11 Unified Access Gateway PowerShell Deployment to Google Cloud Platform
Group Value Name Example Description Mandatory/Optional
zone zone=us-central1-a Compute Engine Optional zone where new a Unified Access Gateway instance is created. If the zone value is not provided, the zone from active configuration in the Cloud SDK is used.
subnet0 subnet0=custom- Subnet on which In a two NIC or three subnet1 subnet eth0, eth1, and eth2 NIC deployment, only NICs of the Unified one of the subnet subnet2 Access Gateway values can be optional. must be created. Following are the values of the deploymentOption and the corresponding subnets used: n If deploymentOptio n is set to onenic, then subnet0 is used. n If deploymentOptio n is set to twonic, subnet0 and subnet1 are used. n If deploymentOptio n is set to threenic, subnet0, subnet1, and subnet2 are used. If a subnet value is not provided, then the PowerShell script uses the default value for the subnet. In a two NIC or three NIC deployment, only a single subnet can use the default value.
VMware, Inc. 12 Unified Access Gateway PowerShell Deployment to Google Cloud Platform
Group Value Name Example Description Mandatory/Optional
privateIPAddress0 privateIPAddress0= Internal IP address Optional privateIPAddress1 10.30.11.213 for the NIC privateIPAddress2 This setting can be used to attach eth0, eth1, and eth2 of the Unified Access Gateway with static internal IP addresses from Google Cloud's VPC network. If the value of privateIPAddress is not provided, Compute Engine attaches the corresponding NIC with a dynamic internal IP address. For example: consider a two NIC deployment n eth0 is attached with a static internal IP address. n eth1 receives an internal IP address attached dynamically. Both IP addresses remain attached to the Unified Access Gateway instance until the instance is deleted.
VMware, Inc. 13 Unified Access Gateway PowerShell Deployment to Google Cloud Platform
Group Value Name Example Description Mandatory/Optional
publicIPAddress0 publicIPAddress0=e External IP address Optional publicIPAddress1 ipalloc-027afa45f349 for the NIC publicIPAddress2 84c87 This setting can be publicIPAddress1=n used to attach eth0, o-address eth1, and eth2 of the Unified Access Gateway with reserved external IP addresses from Google Cloud's VPC network. If the value of publicIPAddress is not provided, Compute Engine attaches the corresponding NIC with a dynamic external IP address. To prevent a NIC from attaching with an external IP address, use no- address as the value. In the example, consider a three NIC deployment: n eth0 is attached with a static external IP address.
The static external IP address remains attached to this NIC until the instance is deleted (or reservation is removed). n eth1 is not attached with any external IP address. n eth2 receives an external IP address attached dynamically.
VMware, Inc. 14 Unified Access Gateway PowerShell Deployment to Google Cloud Platform
Group Value Name Example Description Mandatory/Optional
The external IP address is released when the instance is stopped or terminated.
labels labels=label0=valu Labels associated Optional e0,label1=value1 with a Unified Access Gateway instance. By default, name= $uagName label is associated with a Unified Access Gateway instance by the PowerShell script.
VMware, Inc. 15 Unified Access Gateway PowerShell Deployment to Google Cloud Platform
Group Value Name Example Description Mandatory/Optional
tags tags=tag0,tag1 Tags associated with Optional a Unified Access Gateway instance. By default, https- server tag is associated with the Unified Access Gateway instance by the PowerShell script.
serviceAccount serviceAccount=5184 A service account is Optional 1023978- an identity attached [email protected] to the Unified Access eaccount.com Gateway instance. The service account's access tokens can be accessed through the Unified Access Gateway instance metadata server and are used to authenticate applications on the instance. The account can be set using an email address corresponding to the required service account. If the service account is not provided, the Unified Access Gateway instance uses the project's default service account.
Example 1: INI File Definition for deploying Unified Access Gateway to Google Cloud Platform
[General] name=uag1 deploymentOption=onenic sshEnabled=true
[GoogleCloud] projectId=my-project imageName=euc-unified-access-gateway-21-03-0-0-42741891 zone=us-central1-a
VMware, Inc. 16 Unified Access Gateway PowerShell Deployment to Google Cloud Platform
subnet0=uag-front-network
[Horizon] proxyDestinationUrl=https://myhorizon.example.com
Example 2: INI File Definition for deploying Unified Access Gateway to Google Cloud Platform
[General] name=uag2 deploymentOption=twonic sshEnabled=true routes1=10.20.0.0/16 10.2.0.1
[GoogleCloud] projectId=my-project imageName=euc-unified-access-gateway-21-03-0-0-42741891 zone=us-central1-a subnet0=uag-front-network subnet1=uag-back-network
[Horizon] proxyDestinationUrl=https://myhorizon.example.com
VMware, Inc. 17 Deploy Unified Access Gateway to Compute Engine 6
You can deploy Unified Access Gateway to Compute Engine by using the uagdeploygce.ps1 PowerShell command. This command takes all configuration settings from an .ini file and deploys an instance of Unified Access Gateway.
If any existing instance in the Compute Engine has the same name as specified in the General section of the .ini file, the PowerShell script removes the existing instance during deployment and creates a new Unified Access Gateway instance with the same name. This replacement helps while upgrading a Unified Access Gateway appliance or to redeploy the appliance with updated settings.
Procedure
1 From the VMware Downloads page for Unified Access Gateway, download the following PowerShell scripts, uagdeploygce.ps1 and uagdeploy.psm1 on your Windows machine.
2 Start a PowerShell command window and change the directory to the folder that contains the downloaded scripts.
VMware, Inc. 18 Unified Access Gateway PowerShell Deployment to Google Cloud Platform
3 To deploy Unified Access Gateway to the Compute Engine, perform the following:
a If you are upgrading to a later version of Unified Access Gateway, edit the .ini file to update the imageName setting to the new image name which is uploaded to the Compute Engine in one of the previous tasks.
All other configuration parameters in the .ini file must remain the same.
b Run the following command depending on whether you choose the interactive or non- interactive mode:
Mode Command
Interactive .\uagdeploygce.ps1
Non-Interactive .\uagdeploygce.ps1
.\uagdeploygce.ps1
n
If you run the uagdeploygce.ps1 command again, the previous Unified Access Gateway instance and associated resources are deleted and replaced with a new instance having the same name. The new .ini file must have all the required configuration parameters so that the Unified Access Gateway appliance is ready for production on first boot.
What to do next
After Unified Access Gateway is deployed to Compute Engine and all settings are applied, the metadata used to apply the Unified Access Gateway appliance's configuration settings in Google Cloud must be removed. To remove the metadata, use the following commands as shown in the example:
$uagName=uag1 $zone=us-central1-a $projectId=my-project gcloud compute instances remove-metadata $uagName --zone=$zone --project $projectId --keys "user-data"
VMware, Inc. 19