Skip to main content
A Virtual Private Cloud (VPC) uses a private network to connect directly to a network without using the public Internet. Perform the following tasks in the Google Cloud dashboard to set up a VPC connection to the KMES Series 3 and configure the KMS infrastructure:

Configure VPC

Refer to the Google documentation for how to configure a VPC in your Google Cloud account: https://cloud.google.com/vpc/docs/create-modify-vpc-networks The following steps provide a high-level outline:
1
Go to Computer Engine > VM Instance > Create VM Instance.
2
Go to Network Services > VPC Network > Create VPC Network.
  1. Enter a VPC Network name.
  2. Enter the Subnet name.
  3. Enter the Subnet Region.
3
Select VPC Network > Add Route.
  1. Enter the VPC Route name.
  2. Enter the Destination IP address.
4
Go to Network Services > Service Directory > Namespace List > Create Namespace.
  1. Select region - must match VPC Network.
  2. Enter the Namespace name.
5
Go to Network Services > Service Directory > Register Service.
  1. Select Standard.
  2. Enter the region - it should match the VPC network.
  3. Select Namespace.
  4. Enter service name.
6
Select the created Service Directory > Create Endpoint.
  1. Enter the endpoint name
  2. Enter the IP address of the KMES Series 3
  3. Enter the KMES REST API port number
  4. Select from the list and select VPC Network

Configure KMS infrastructure

Perform the following steps to configure KMS infrastructure:
1
From the main Google Cloud dashboard, enter Key Management into the search bar at the top of the page. Then, select Key Management - Security service.
2
Select [ KMS Infrastructure ].
3
Select [ Create Connection ].
4
Perform the following steps in the Create EKM via VPC connection wizard:
  1. Enter a name for the connection.
  2. Select a region for the connection. It must be the same region as the VPC network.
  3. Enter the resource ID (self link) of Service Directory service to use with this connection. The service must point to your external key manager IP address and must exist in the same region as the connection. Example: projects/futurex-ekms-test/locations/us-east1/ekmConnections/futurex-ekm-east
  4. Enter the EKM hostname. It should match the Common Name of the TLS certificate.
  5. Upload the external key manager X.509 server certificates (also known as end-entity or leaf certificates) in DER format with the .crt extension. This is the TLS certificate that is configured for the REST API connection pair on the KMES.
  6. Enter one of the following EKM management modes:
    • Manual: Manually manage key rotation from your EKM (such as KMES Series 3). This choice requires a URL for each rotation. Example: /v0/key-encrypt/external/0147E96A-77F2-0001-000A-34BE0BC561B5
    • Cloud KMS: Crypto Space where Google manages the key rotation.
    Example: /v0/key-encrypt/external/<Crypto Space Name>
  7. (Optional) Set default - uses this interface for all keys using External via VPC connection as default.