Google Cloud (GCP) – Set up an Airwall Gateway

Prerequisites

Required licenses: An Airwall 300v license for each virtual Airwall Gateway you are setting up.
Supported versions: Conductor v2.2.3 and later

Note: You should be familiar with using Google Cloud before attempting to deploy a Tempered Conductor or Airwall Gateway on the platform. To get started, we recommend you review the following content offered by Google:

Set up an Airwall Gateway on Google Cloud

There are two steps required to deploy an Airwall Gateway to your Google Cloud account:

Set up Google Cloud as a cloud provider
Add one or more Airwall Gateways either from the Conductor or GCP marketplace:
- Add an Airwall Gateway from the Conductor
- Add an Airwall Gateway from GCP marketplace

Set up Google Cloud as a cloud provider

Download a JSON key from your Google Cloud account. For assistance, see Google Cloud help: https://cloud.google.com/iam/docs/creating-managing-service-account-keys.

Note: Save the key file somewhere you can access it easily. You will need the information in this file when configuring the Google Cloud provider in the Conductor.
Log in to your Conductor, and click the gear icon in the upper right to open Settings.
On the Cloud providers tab, select Add cloud provider.
Select Google Cloud, and then Next.
Fill in the Google project ID, Client email, and Private key fields with the corresponding information from the key file you downloaded.
The Google Cloud route injection setting determines how new routes are added to the Google Cloud routing table. The routes are for traffic on your protected overlay network between protected devices and the Airwall Gateway. Here are the recommended settings depending on your deployment details:
- If you are using a Airwall Relay, or want to manage routes on your own, set to Disabled.
  Important: If your Airwall's subnet has a route table with existing or planned future routes, then do not set route injection to Individual traffic or All traffic. This removes these existing and future routes from the route table, retaining only routes created by Conductor.
- If you want to handle traffic for devices individually, set to Individual traffic.
- If you want one route to send all traffic to the overlay port on the Airwall Gateway, set to All traffic.
  Note: All traffic is effectively ‘full tunnel’ mode. With Individual traffic, you could add routes that send traffic around the Airwall Gateway.
Click Finish.

Note: If you need more information about Google Cloud Service Accounts, see https://cloud.google.com/iam/docs/creating-managing-service-accounts.

Add an Airwall Gateway from the Conductor

You must Set up Google Cloud as a cloud provider before you can add an Airwall Gateway in the Conductor

On the Airwalls page, (or in Conductor Settings Cloud providers tab), click New cloud Airwall, and select Google Cloud Airwall.
In v2.2.8 and later, select Create stand-alone Airwall gateway, and then Next.
In v2.2.8 and later, if you want to use a template to create the Airwall Gateway, select the template, select Next, and then give the Airwall Gateway a descriptive name. You can then skip to the next step.
To continue without a template and enter the information manually, just select Next.
1. If you are filling in information manually, or want to change the template, fill in the Name and Image and network options for this Airwall Gateway. For Machine type, the default typically works. You can select a different size if needed for your purposes.
2. Under Airwall gateway image ID, pick the Airwall Gateway image you want to use. The list shows the Airwall Gateway images available on your cloud provider.
3. If you do not have a pre-configured virtual network, you need to create a new network. Click Create new network and fill in the form:
  - Network CIDR – Enter an available network address and subnet mask in CIDR notation.
  - Public subnet CIDR – Must be a subnet of the main network. Traffic flows between the underlay interface of the Airwall Gateway and the Public IP address object in Azure.
  - Protected subnet CIDR – Must be a subnet of the main network. Traffic must pass through the Airwall Gateway or through manually-crafted routes.
  When you’re finished entering the information, select Create network, and when processing is complete, select Back.
4. Back on the Create cloud Airwall page, select the network and public and protected subnets you just created.
Check the summary and if everything is correct, select Create cloud Airwall.
Select Finish. It may take up to 5 minutes for Google Cloud to complete creating the Airwall Gateway.

You’ve completed creating a Google cloud Airwall Gateway, and now need to configure Provision, License, and configure it. For help, see Provision and License Airwall Edge Services and Configure Airwall Edge Service Settings.

Add an Airwall Gateway from GCP marketplace

To set up an Airwall Gateway in Google Cloud Platform (GCP) from GCP marketplace, complete the following steps.

Go to the External IP addresses page. Click Reserve External Static Address.
Specify the Name and select the Region where your instance is going to be deployed. Click Reserve.
Go to Tempered Airwall Gateway marketplace page.
Click Launch.
Specify the Deployment name. Select Zone and Machine type.
Select Network and Subnetwork for your shared network interface. Choose the static external IP address that you created in step 2.

Note: Selecting None results in the instance having no external internet access.
Select Network and Subnetwork for your protected network interface. Choose None for External IP.
Specify the Source IP ranges for UDP port 10500 and ICMP traffics. Enter the Conductor IP Address. Click Deploy.