• Google Cloud

  •  

    Step Owner Description
    Preparation
    1 Customer and Verizon You must be a Verizon Private IP customer to complete this activation process. If not, a Private IP connection must be established in at least one of your location. As this component is probably the one with the longest deliverable timeframe, you should not proceed with the rest of the activation process until this step is completed.
    2 Customer and Verizon Verizon Account Team will work with you to create entitlements for Verizon Enterprise Center/Dynamic Network Manager which provides access to your Secure Cloud Interconnect service.

    This step shall be completed once the Secure Cloud Interconnect order is entered.
    3 Customer and Verizon Verizon Account Team will explain Secure Cloud Interconnect NATing.

    Please review the Secure Cloud Interconnect NAT section at the end of this document.
    4 Customer and Verizon If you have plans to use MSS Cloud Firewall as an addition to your Secure Cloud Interconnect service needs to check the section on MSS Cloud Firewall for information on how to provision that service.

    MSS Cloud Firewall has to be ordered at the same time as the Secure Cloud Interconnect port and cannot be added to an existing Secure Cloud Interconnect service.
    5 Customer and Verizon If you are using VPN to connect to the Google Cloud Platform prior to the turn-up of Secure Cloud Interconnect you will need to purchase MSS Cloud Firewall. MSS Cloud Firewall is required to terminate IPSec as well as to provide support for static NAT that is needed with the connection.
    Ordering and Provisioning
    1 Customer Create an account with Google if you do not have one already.

    Google will provide you with a Project ID
    2 Customer Select the location where the Secure Cloud Interconnect port will be provisioned.

    Note: Google operates all of its facilities as a single “domain.” so any of Google facilities can be accessed from a single Secure Cloud Interconnect port. However, more ports can be ordered for redundancy and operation reasons.

    3 Customer Provide the Google Project ID and the desired location for the Secure Cloud Interconnect port to the Verizon Account Team.
    4 Customer and Verizon Your Verizon Account Team, in consultation with you, identifies the appropriate time for activating the Secure Cloud Interconnect connection.

    IMPORTANT: Once the order is completed, the Secure Cloud Interconnect port is automatically activated and live traffic could pass between your Private IP VPN and Google. If, for some reason, the order needs to be completed but the port not activated (because you are not ready yet), your Verizon Account Team should ensure that you have access to the Dynamic Network Manager prior to the order being completed. Dynamic Network Manager can then be used to deactivate the Secure Cloud Interconnect port and re-activate it when you are ready.

    See the section on “Shutting Down the Secure Cloud Interconnect Port” at the end of this document.

    5 Verizon At the appropriate time, your Verizon Account Team places your Secure Cloud Interconnect order using your Google Project ID.

    The Project ID is entered in the “CSP Customer ID” field and the Service Key is left empty.
    6 Customer By default, the Private IP VPN entered with the Secure Cloud Interconnect order is connected to the Secure Cloud Interconnect port. If you want to add additional VPNs, use the Dynamic Network Manager to add one or more of your Private IP VPNs to the Secure Cloud Interconnect port using the Add/Remove VPN menu.

    IMPORTANT: When you add or remove Private IP VPNs to a Secure Cloud Interconnect port, ensure that the IP addresses of the Private IP VPNs don’t overlap and the total number of Private IP prefixes does not exceed the MAX number specified in the VPNs. If the total number of Private IP prefixes exceeds the MAX number specified in the VPNs, contact the Verizon Account Team and request an increase to that MAX number.

    Secure Cloud Interconnect NAT
    1 Verizon and Customer All traffic from you to Google will be source NATed by Verizon.
    3 Verizon and Customer At the Secure Cloud Interconnect provisioning time, Verizon will select a single, permanent /32 address from a 74.107.128.0/17 pool (based on the Secure Cloud Interconnect location) and assign it to you.

    The assigned address will be used to identify you with Google and can be retrieved by you or the Verizon Account Team from Dynamic Network Manager.
    MSS Cloud Firewall
    1 Verizon MSS Cloud Firewall has to be ordered at the same time as the Secure Cloud Interconnect port. MSS Cloud Firewall cannot be added to Secure Cloud Interconnect once the Secure Cloud Interconnect port is activated.
    2 Verizon and Customer Verizon would create the Secure Cloud Interconnect port but not activate the connection. The Verizon Account Team will configure the MSS Cloud Firewall instance with the Firewall rules provided by you. Once the MSS Cloud Firewall is configured, the Secure Cloud Interconnect port can be activated.
    3 Customer You have “Read” privileges to MSS Cloud Firewall. You do not have “Write” privileges. Changes to the Firewall rules have to be sent to the Verizon Account Team.
    Activation of the Secure Cloud Interconnect Port
    1 Customer or Verizon By default, the Secure Cloud Interconnect port is set to “shutdown” to prevent advertisement of all routes to Google Cloud Platform.


     

    You or your Verizon Account Team logs into Dynamic Network Manager and selects the Secure Cloud Interconnect port.
    As highlighted, click on the pen following the “Modify Admin Status” field.
    2 Verizon and Customer The following screen shot shows the page that will open once the “Modify Admin Status” pen is clicked on.


    In order to activate your service, select “no-shutdown” as shown above. Then click “Process Order.” This process will deploy within minutes. Please check the “Order History” displayed at the bottom of the Secure Cloud Interconnect Details for your order and use the refresh icon to confirm this change has deployed properly.

    Note: The Activation and/or De-Activation of the port can be done through the “New Admin Status” drop down menu.
    3 Customer The connection should now be operational.

    Verify in Dynamic Network Manager and with Google Portal that your Private IP network is connected to Google.