Unified Access Gateway PowerShell Deployment to Google Cloud Platform Technical Note Unified Access Gateway 2103 Unified Access Gateway PowerShell Deployment to Google Cloud Platform You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com © Copyright 2021 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 2 Contents 1 Introduction 4 2 Prepare the Windows Client Machine for PowerShell Deployment 5 3 Prepare the Google Cloud Platform Environment 6 4 Upload the Unified Access Gateway Image to Google Cloud Platform 8 5 Prepare an .ini File for Deploying Unified Access Gateway to Google Cloud Platform 10 6 Deploy Unified Access Gateway to Compute Engine 18 VMware, Inc. 3 Introduction 1 The technical note describes the steps required to prepare the Google Cloud Platform environment before creating any Unified Access Gateway instances. PowerShell commands are used to deploy Unified Access Gateway 2103 or later to Compute Engine within Google Cloud Platform. This documentation also provides the details of the .ini file that contains the configuration settings and shows how to run the PowerShell command, which is used to deploy Unified Access Gateway to Google Cloud Platform. These are general guidelines for deploying Unified Access Gateway on the Google Cloud Platform. The technical note assumes that you are familiar with Google Cloud Platform and Compute Engine concepts and have the necessary permissions to create or modify resources such as images, VPC network, subnet, firewall rules, and so on in the Google Cloud project. For information about Unified Access Gateway, see the Deploying and Configuring VMware Unified Access Gateway documentation at VMware Docs. For information about the Google Cloud Platform and Compute Engine features, see the Google Cloud Platform documentation. VMware, Inc. 4 Prepare the Windows Client Machine for PowerShell Deployment 2 Unified Access Gateway is deployed on the Google Cloud Platform by running commands and scripts at a Windows PowerShell command prompt. For these scripts to run, Google Cloud utilities must be installed on the Windows Client machine. Prerequisites Ensure that you perform the instructions listed in this section on a Windows 10 machine that has access to the Internet. Important Other Windows operating systems might be supported but the instructions documented in this section are for Windows 10. Procedure 1 Install gsutil. For instructions about installing the gsutil tool, see https://cloud.google.com/storage/docs/ gsutil_install. 2 Open the PowerShell command window with administrative rights. 3 Run the following command: Install-Package 7Zip4PowerShell What to do next Prepare the Google Cloud Platform environment. VMware, Inc. 5 Prepare the Google Cloud Platform Environment 3 For Unified Access Gateway deployment to Google Cloud Platform, a Google Cloud project must be used and this project must be configured with VPC networks, the corresponding subnet networks, and firewall rules. Prerequisites n Ensure that you are aware of the Google Cloud Platform concepts. n Ensure that you have the necessary permissions to create or modify resources such as images, VPC network, subnet, firewall rules, and so on in the Google Cloud project. n Compute Engine API must be enabled. Procedure 1 Use a Google Cloud project. Option Action New project a In the Google Cloud Console, navigate to the Project Selector page. b Create a Google Cloud project. Existing project If a project is already available and active, you can use the existing project. 2 Create a Virtual Private Cloud (VPC) network for each NIC. Each NIC on the Unified Access Gateway uses a unique VPC network and subnet within that network. If you choose not to create a VPC network, only a single NIC Unified Access Gateway can be deployed. The Unified Access Gateway appliance when deployed in the Compute Engine uses the default VPC network available in the Google Cloud Platform. For example: In the following image, two VPC networks, uag-front-vpc and uag-back-vpc, are created in the Google Cloud Console. These VPC networks have uag-front-network and uag- back-network as subnets respectively. A Unified Access Gateway twonic appliance can be deployed to use these two subnets for front-end Internet facing and a separate subnet network for back-end connections. VMware, Inc. 6 Unified Access Gateway PowerShell Deployment to Google Cloud Platform 3 Make a note of the subnet name created. The subnet name within a VPC network is used in the .ini file while deploying Unified Access Gateway by using PowerShell. 4 To allow TCP and UDP port access to Unified Access Gateway appliances in the Internet accessible VPC, create the required number of firewall entries. Important SSH remote access to Unified Access Gateway on TCP port 22 from the Internet must be carefully restricted on the firewall. If SSH access is needed, the firewall rule must allow this access from a specific source IP address only or from a jump box virtual machine in the cloud from which access can be controlled. For example: In the following Google Cloud Console image, a firewall rule named uag-horizon- protocols is created in the internet facing VPC network uag-front-vpc. This firewall rule applies to all the instances connected to uag-front-vpc network and allows inbound TCP and UDP traffic on specified ports from the public internet. VMware, Inc. 7 Upload the Unified Access Gateway Image to Google Cloud Platform 4 To deploy a Unified Access Gateway instance to the Compute Engine, you must upload a Unified Access Gateway appliance disk image to the Google Cloud Platform. Procedure 1 Download the Unified Access Gateway.ova image file, version 2103 or later, from the VMware Downloads page. 2 Open a PowerShell command window and run the following command to extract the .vmdk file from the previously downloaded .ova file: expand-7zip ova-filename target-location n ova-filename is the .ova image file which is downloaded from the VMware Downloads page in an earlier step. n target-location is the location to which the .vmdk file is extracted. For example: euc-unified-access-gateway-21.03.0.0-42741891_OVF10.ova is downloaded from the VMware Downloads page, where 21-03 is the version number and 42741891 is the build number. To extract the .vmdk file to C:\temp, use the following command: expand-7zip C:\temp\euc-unified-access-gateway-21.03.0.0-42741891_OVF10.ova C:\temp\ 3 Set the following variables: image name ( $gcImageFile), image folder ( $gcImageFolder), and image file ( $gcImageFile). $gcImageFile is set with the extracted .vmdk file name. $gcImageFile is uploaded to the Google Cloud storage bucket. For example: $gcImageFolder="C:\temp" $gcImageFile="euc-unified-access-gateway-21.03.0.0-42741891-system.vmdk" VMware, Inc. 8 Unified Access Gateway PowerShell Deployment to Google Cloud Platform $gcBucket="uag-appliance-images" $gcImageName=$gcImageFile.Replace("-system.vmdk","").Replace(".", "-") gcloud auth login gcloud config set project "my-project" 4 Create a Google Cloud storage bucket by using the following command: gsutil mb -l us-east1 gs://$gcBucket Alternately, you can use an existing Google Cloud storage bucket. 5 Upload the .vmdk image to the Google Cloud storage bucket by using the following command: gsutil cp $gcImageFolder\$gcImageFile gs://$gcBucket 6 Create the appliance image in the Compute Engine from the uploaded .vmdk by using the following command: gcloud compute images import $gcImageName --source-file gs://$gcBucket/$gcImageFile --data-disk Considering the example mentioned in the previous steps, the appliance image created in the Compute Engine is euc-unified-access-gateway-21-03-0-0-42741891 where 21-03 is the version number and 42741891 is the build number. VMware, Inc. 9 Prepare an .ini File for Deploying Unified Access Gateway to Google Cloud Platform 5 The Compute Engine PowerShell deployment script for Unified Access Gateway reads all configuration settings from a .ini configuration file. This section describes the .ini file format and shows examples of the settings that can be used for the deployment. Most sections of the .ini file are identical to the standard .ini settings for Unified Access Gateway as supported for all the other hypervisor deployments. For more information about the .ini file, see the Using PowerShell to Deploy the Unified Access Gateway Appliance section in the Deploying and Configuring VMware Unified Access Gateway documentation at VMware Docs. 1 In the .ini file, add a new group, [GoogleCloud] and the necessary settings specific to Google Cloud Platform. Note For Google Cloud Platform deployments, the following settings in the General section are not used: n diskMode n ds n folder n netInternet n netManagementNetwork n netmask0 n netmask1 n netmask2 n netBackendNetwork n source n target n All IPv4 settings n All IPv6 settings VMware, Inc. 10 Unified Access Gateway PowerShell Deployment to Google Cloud Platform The following table lists the settings (Value Name) that are required for the Google Cloud Platform deployment. The table also includes examples and indicates which of these settings are mandatory and optional. Group Value Name Example Description Mandatory/Optional [GoogleCloud] projectId projectId=my- The Google Cloud Optional project Platform project ID used for creating a new Unified Access Gateway instance. If the project ID is not provided, the project from active configuration in the Cloud SDK is used. imageName imageName=euc- Name of the Mandatory unified-access- imported appliance gateway-21-03-0-0-42 image in the 741891 Compute Engine from which a new instance must be created. machineType machineType=e2- Indicates the Optional standard-4 Compute Engine machine type. Default value of machineType is e2- standard-4. Note Ensure that the machineType specified is appropriate for the number of Unified Access Gateway NICs required.