NCC Gateway setup overview

This page gives you an overview of the steps required to set up NCC Gateway.

Before you begin the setup process for NCC Gateway, familiarize yourself with the following resources:

As part of the NCC Gateway setup process, you must complete several tasks. Depending on your configuration, the way that you complete these tasks can vary significantly. The following set up instructions use a four spoke group hybrid inspection topology.

Set up NCC Gateway for new users

If you want to set up NCC Gateway no pre-existing connectivity, do the following:

Create a hub.

You first create an NCC hub to which you can attach NCC Gateway spokes. The hub can use any of the preset connectivity topologies.
Create an NCC Gateway spoke.

You must create an NCC Gateway spoke and attach it to the hub that you created.
Connect the Secure Access Connect attachment to NCC Gateway.

The Secure Access Connect attachment lets you connect NCC Gateway with third-party Security Service Edge (SSE) products.

NCC Gateway supports connections to the following SSE products:
- Palo Alto Networks Prisma Access
- Symantec Cloud Secure Web Gateway (Cloud SWG) (Preview)
To complete this step, you must already have an account with the provider.
Add VLAN attachments to the NCC Gateway spoke.

Your Google Cloud and on-premises environment or other cloud environments must be connected through hybrid connectivity by using Cloud Interconnect VLAN attachments with Cloud Router.
Create and manage NCC Gateway advertised routes.

Each NCC Gateway advertised route that you create is installed in the route tables of the NCC hub to which the NCC Gateway spoke is connected. The gateway itself is the next hop for each route that it advertises.

Note: When you configure a gateway advertised route in the gateway spoke, this route is not propagated to the NCC hub route table until there is an active SSE gateway.

Add regions

If you want to add NCC Gateway spokes and VLAN attachments in other regions, repeat steps 2-5 in the NCC Gateway setup. Adding more connections is optional.

Manage NCC Gateway

After you have configured NCC Gateway, you can manage the gateway. See the following resources for instructions.

Hubs

Spokes

Update the NCC Gateway spoke's capacity

Advertised routes

Create and manage NCC Gateway advertised routes

Cloud Routers

You can't change the NCC Gateway linked with the Cloud Router. However, you can change the custom route advertisements. For detailed information about Cloud Router advertised routes, see Advertised routes.

View gateway spoke routes

To verify the routing path in the gateway, you can view gateway spoke route tables to see how traffic enters and leaves a gateway and where a packet is routed.

Console

In the Google Cloud console, go to the Network Connectivity Center page.

Go to Network Connectivity Center
In the project menu, select a project.
On the Hub tab, select the hub. All the spokes attached to that hub are listed.
To view details for a specific NCC Gateway spoke, select a spoke to view the Spoke details page.
To view the gateway route table, on the Spoke details page, click the Gateway spoke routes tab.
Specify the following two filters:
- Gateway interface: Choose from one of the following gateway interface options:
  - Hybrid attachments
  - Other gateway spokes
  - Secure Access Connect attachment sac-name, where sac-name is the name of the Secure Access Connect attachment used by the NCC Gateway
  - Hub hub-name, where hub-name is the name of the NCC Gateway spoke's hub
- Direction: You can choose one of the following options:
  - For learned routes, choose Ingress
  - For advertised routes, choose Egress
Click View.

Monitoring

View logs and metrics

What's next?

To learn about NCC Gateway, see NCC Gateway overview.
To learn how to configure NCC Gateway, see NCC Gateway setup overview.
To learn how to configure Secure Access Connect, see Create a realm
To find solutions for common issues, see Troubleshoot NCC.
To get details about API and gcloud CLI commands, see APIs and reference.