Appendix: Configure Google VPC and KMS infrastructure

virtual private cloud (vpc) uses a private network to connect directly to a network without using the public internet perform the following tasks in the google cloud dashboard to set up a vpc connection to the kmes series 3 and configure the kms infrastructure configure vpc refer to the google documentation for how to configure a vpc in your google cloud account https //cloud google com/vpc/docs/create modify vpc networks https //cloud google com/vpc/docs/create modify vpc networks the following steps provide a high level outline go to computer engine > vm instance > create vm instance go to network services > vpc network > create vpc network enter a vpc network name enter the subnet name enter the subnet region select created vpc network > add route enter the vpc route name enter the destination ip address go to network services > service directory > namespace list > create namespace select region must match vpc network enter namespace name go to network services > service directory > register service select standard enter region should be the same as the vpc network select namespace enter service name select the created service directory > create endpoint enter endpoint name enter ip of the kmes series 3 enter the kmes rest api port number select choose from list select vpc network configure kms infrastructure from the main google cloud dashboard, enter key management into the search bar at the top of the page then, select key management security service select \[ kms infrastructure ] select \[ create connection ] perform the following steps in the create ekm via vpc connection wizard enter a name for the connection select a region for the connection it must be the same region as the vpc network enter the resource id (self link) of service directory service to use with this connection the service must point to your external key manager ip address and must exist in the same region as the connection example projects/futurex ekms test/locations/us east1/ekmconnections/futurex ekm east enter the ekm hostname it should match the common name of the tls certificate upload the external key manager x 509 server certificates (also known as end entity or leaf certificates) in der format with the crt extension this is the tls certificate that is configured for the rest api connection pair on the kmes enter one of the following ekm management modes manual manually manage key rotation from your ekm (such as kmes series 3) this choice requires a url for each rotation example /v0/key encrypt/external/0147e96a 77f2 0001 000a 34be0bc561b5 cloud kms crypto space where google manages the key rotation example /v0/key encrypt/external/\<crypto space name> (optional) set default uses this interface for all keys using external via vpc connection as default