Deploy a Conductor on the Google Cloud Platform (GCP)

You can deploy an Airwall Conductor on GCP and manage physical, virtual, and cloud Airwall Edge Services, and Airwall Agents. Use the following steps to deploy on the Google Cloud platform.

Note: Click the print icon printer icon in the top right to print or download this topic.


To get started, make sure you have access to your Google Cloud account. If you do not have an account, you can create a free Google Cloud account and upgrade it to a full account later. If you have an existing Google Cloud account, make sure your billing information is set up. You cannot create a project until you are able to link your billing information to your newly created project.

Note: You should be familiar with using Google Cloud before attempting to deploy a Tempered Conductor or Airwall Gateway on the platform. To get started, we recommend you review the following content offered by Google:

A Conductor license voucher is necessary at the end of this procedure if you want to start the Conductor and verify it is set up correctly. Fulfillment will provide this to you in an email after your purchase is complete.

Log in to Google Cloud

From a Web browser, navigate to You will see one of two pages, the Getting Started page if you have no projects or the Home page if you have existing projects.

Create and configure a project

A Google Cloud project organizes all of your resources into a logical group for easier management. You will add the Tempered Conductor to a new or existing project, so you need to have a project created before you deploy the Conductor.
Note: If you are adding the Conductor to an existing project, you can skip step 2 and proceed directly to step 3 in this document.
  1. On the top bar of the Google Cloud page, click Select a project.

  2. On the upper-right corner of the Select a project dialog, click New Project.

  3. In the Project Name field, enter a name for your new project. By default, your new project is assigned a default ID, which you can change by clicking Edit to the right of the Project ID field.
  4. Optional: If you want to add your project to an organization you have already created, select it in the Location field by clicking Browse to the right. For more information about organizations, see Quickstart Using Organizations in the Google Cloud documentation.

  5. Once you are finished, click Create.
It will take a moment to set up your project. A notification window will indicate when the operation is complete. You can then select Home in the Google Cloud sidebar to access your dashboard.

Set up firewall rules

GCP firewall rules will manage the traffic coming into your instance on a network. By default, you have a network with a default set of firewall rules for your region, and you will need to make a few changes to set up your environment so the Conductor can function correctly.

Note: This step assumes you are using the default network for your region. If you would like to create a separate virtual private cloud (VPC) network, please review the topic Virtual Private Cloud (VPC) Network Overview in the Google Cloud documentation.

To set up firewall rules:

  1. In the Google Cloud sidebar, navigate to the Networking section, hover over VPC network, and select Firewall rules.

  2. Click Create Firewall Rule.

  3. Fill in the Create firewall rule page with the following information:
    You can use any name you choose, but it must be lowercase with no spaces.
    This can be anything you like. We recommend something descriptive such as Firewall access rules for Tempered Conductor.
    Select default from the drop-down unless you are using a different network.
    Direction of traffic
    Select the Ingress radio button.
    Action on match
    Select the Allow radio button.
    Select Specific target tags from the drop-down.
    Target tags
    Enter tempered-conductor-rules
    Note: Remember this tag. You will need it later in this procedure.
    Source filter
    Select IP ranges from the drop-down.
    Source IP ranges
    Protocols and ports

    Select the Specified protocols and ports radio button and enter 443,8096.

    Note: Do not check the box next to tcp and then select the field to enter your ports – the box will revert to unchecked and disable both fields. Click only on the field to enter your ports.

    Leave all other fields as is.

    Your page should look similar to the image below:

  4. Click Create. It will take a moment to finish the operation. Once complete, you should see the following in your rules list:

Add a Conductor Image

Add a Conductor image to create an instance in your Google Cloud project.

To add an image:

  1. In the Google Cloud sidebar, navigate to the Compute section, hover over Compute Engine, and select Images.

  2. Click Create Image.

  3. Fill in the Create an image page with the following information:
    Enter conductor-r216-1144.
    Enter Tempered Conductor version 2.1.6.
    Select Cloud Storage file from the drop-down.
    Cloud Storage File

    Enter tempered-image-storage/conductor-r216-1144.tar.gz.

    You can leave all other fields as they are.

  4. Click Create. It will take a moment to finish the operation.

    Once complete, you should see the following in your images list:

    Note: If you have multiple projects, make sure the image is associated with your desired project, listed in the Created by column.

Create a Conductor Instance

The Conductor image can now be used to create a virtual machine instance. The image supplied by Tempered contains the Conductor and is relatively small in size. Configuration information and storage requires a second hard disk, which you will set up as part of the instructions below. This image must be a minimum of 120 GB.

To create a Conductor instance:

  1. Select the image in the list by clicking on its name. You have several options available: Select Create Instance.

  2. Fill in the Create an instance page with the following information:

    Enter a name of your choice, but it must be lower case and without spaces.

    Select the region of your choice from the drop-down.
    Select the zone of your choice from the drop-down.

    You can leave all other fields as is.

  3. Click Management, security, disks, networking, sole tenancy.
  4. On the Disks tab, leave all settings as is and click + Add new disk.

  5. In the New disk dialog enter the following:

    You can leave this field as disk 1, otherwise enter a name of your choice.


    Select Standard persistent disk from the drop-down.

    Source type

    Select Blank disk.

    Deletion rule

    Select the Delete disk radio button

    Size (GB)

    Enter the value 200

    You can leave all other settings as is.

  6. Click Done. The dialog will close, and you should see the following:

  7. Click the Networking tab to the right of the Disk tab and enter the tag name you created for your firewall rules in step 3.

  8. Click Create. It will take a moment to finish the operation. Once complete, you should see the following:

    Note: The External IP for your instance is the address you will use to connect to the Conductor.

Verify, Configure, Provision, and License a Cloud Conductor

At this point the Conductor instance is running in your cloud provider.
To verify, paste your Conductor IP into a browser window. It should show you the Initial Conductor Configuration page. To log in, configure, and license your Conductor, see Log in and Configure the Conductor.
Note: In v2.2.8 and earlier, it shows the Provisioning page. See License and Provision a Conductor (v2.2.8 and earlier).

It may take several minutes for the Conductor to become available after it starts, so if you attempt to access it and your browser appears to stop responding, please try again in a few minutes.

Here are the default passwords for cloud Conductors. You are prompted to change the password as soon as you log in:
  • Alibaba Cloud – Tnw-<instanceID>
  • Amazon Web Services – Tnw-<instanceID>
  • Microsoft Azure – Tnw-<privateIpOfPublicNic>
  • Google Cloud – Tnw-<instanceID>
Note: In Microsoft Azure, if you do not see a password on the Azure Outputs page next to conductorPassword, it is likely you are not using the Managed image.
Note: When running the Conductor for the first time, you may receive notifications indicating the connection is not private. Once you have finished configuring the Conductor, you can install a custom certificate on the Conductor that prevents these notifications in the future.
For more information, see:

Additional Information

Once your Conductor is installed, you can configure and manage it as you would a physical Conductor. See Configure a Conductor. For additional help, you can search Airwall help by using the search bar at the top of the page or the navigation links to the left.