Launch a Service Gateway virtual appliance from Google Cloud using a deployment package.
If your environment does not have a local hypervisor or VM host machine, you can deploy
the Service Gateway virtual appliance to your Google Cloud environment using a deployment
package. Before you begin, review the Service Gateway appliance system
requirements to ensure your virtual appliance has the settings needed to deploy the services you
want to use.
NoteThe steps contained in these instructions are valid as of July 2026.
Before you being, ensure you have downloaded and installed the Google Cloud CLI on
the local machine you are using to deploy and access the Service Gateway. For more
information, refer to the Google Cloud document Install the Google Cloud CLI.
|
Procedure
- Obtain the Service Gateway registration token.
- In the TrendAI Vision One™ console, go to .
- Click Download Virtual Appliance.
- Copy the Registration Token.

Note
The registration token is used to register the Service Gateway virtual appliance to Service Gateway Inventory after installation and setup are complete. The registration token expires after 24 hours if not used.
- To initiate the instance launch, sign in to the Google Cloud portal.
- Create a firewall policy for the Service Gateway virtual appliance you want to deploy.
- In the Google Cloud portal, open the navigation menu at the upper left of the screen.
Go to .

Note
If you don't see the service, use the search bar at the top of the screen to search for Firewall. Find Firewall under Search results. - Click Create firewall policy.

- In the 1 Configure policy step, specify a Policy name, select the deployment scope of the firewall policy, and click Continue.
- In the 2 Add rules step, click Create firewall rule to create a new firewall rule for the Service Gateway virtual appliance.

- On the Create a firewall rule panel on the right, configure the firewall rule settings.
-
For Priority, specify a positive integer.For more information on priority, refer to the Google Cloud documentation.
-
For Direction of traffic, select Ingress.
-
For Action on match, select Allow.
-
For Target, select the instance where you would like to apply this firewall rule.
-
For Source network type, select the network type that matches the source where the ingress traffic comes.
-
For Source filters, specify the IP type and IP ranges of the source.

Note
TrendAI™ recommends specifying the source IP addresses/CIDR ranges that are within your network. -
For Protocols and ports, select Specified protocols and ports, select TCP, and add the ports according to the following table.ServiceDestination port rangesProtocolActionDescriptionSSH22TCPAllowFor accessing Service Gateway virtual appliance CLISH commandHTTP80TCPAllowService enabled queries for on-premises Active Directory servers, connected TrendAI™ products (such as endpoint agents), Predictive Machine Learning, File Reputation Services, or Third-Party IntegrationHTTPS443TCPAllowService enabled queries for on-premises Active Directory servers, connected TrendAI™ products (such as endpoint agents), Predictive Machine Learning, File Reputation Services, or Third-Party IntegrationCustom TCP5274TCPAllowWeb Reputation Services or Web Inspection Service queriesCustom TCP5275TCPAllowWeb Reputation Services or Web Inspection Service queriesCustom TCP8080TCPAllowForward Proxy Service listening port for connectionCustom TCP8088TCPAllowZero Trust Secure Access On-Premises Gateway listening port for connection
-
For Enforcement, select Enabled.
-
Review the configuration of this firewall rule, then click Create.
-
Select the firewall just created, and click Continue.
-
- In the 3 Associate policy with VPC networks (optional) step, click Associate to associate this firewall policy with existing VPC networks.

Note
If you do not have any VPC networks, refer to Google Cloud documentation to create one. - Review the configuration of this firewall policy, then click Create.
- In the Google Cloud portal, open the navigation menu at the upper left of the screen.
Go to .
- Create a VM instance.
- Go to .
- In the Virtual instances screen, click Create instance.

- In the Create an instance screen, choose .

- In the Marketplace screen, select TrendAI Vison One™ Service Gateway to deploy.
-
In the Marketplace screen, search for the product TrendAI Vison One™ Service Gateway.

-
Select TrendAI Vison One™ Service Gateway in the results.
-
Click Get Started and agree to the terms and agreements before the deployment.
-
A dialog for successfully agreeing to terms will pop up. Click Deploy to proceed.
-
Click Launch to proceed with the deployment.

-
Choose one of the following ways to deploy TrendAI Vison One™ Service Gateway.Deployment methodStepsTerraform
-
Specify a Deployment name.
-
In the Deployment Service Account section:
-
Select an Existing account which has the
roles/config.agent,roles/compute.admin, androles/iam.serviceAccountUserroles, or create a new account for the deployment. -
Select a Zone for the location where TrendAI Vison One™ Service Gateway will be deployed.
-
-
In the Machine type section, select a machine type that meets the specifications for your deployment.

Note
The default machine type ise2-highcpu-16with 16 vCPU and 16 GB memory. For more information, see Service Gateway appliance system requirements. -
In the Boot Disk section:
-
Select the disk type that meet the specifications for your deployment in Boot disk type.
-
Specify a disk size for Boot disk size in GB.

Note
The default disk size and disk type is 500 GB and Balanced Persistent Disk respectively. For more information, see Service Gateway appliance system requirements. -
-
In the Network interfaces section, edit the following settings of the network interface:
-
Select the VPC where the firewall policy created in previous steps is applied for Network.
-
Select the desired subnetwork for Subnetwork.

Note
Refer to the Google Cloud documentation on how to set up a VPC network and subnets. -
Select None for External IP.
-
-
Review the VM instance settings, and click Deploy to deploy TrendAI Vison One™ Service Gateway.
Command-line deployment
Important
-
Agree to the terms of service and click Next.
-
In the Configure a service account (Optional) section, click Configure to select an existing account which has the
roles/compute.adminandroles/iam.serviceAccountUserroles, or create a new account for the deployment. -
In the Configure gcloud section, run all the mentioned commands to configure the gcloud environment.
-
In the Review VM images section, click Download to download the zipped file, which includes the Terraform scripts of deploying TrendAI Vison One™ Service Gateway, to your local environment.
-
Unzip the downloaded file.
-
Click SHOW COMMAND to display all the required Terraform commands for the deployment.
-
Open a terminal, change the current directory to the unzipped folder, and run all the Terraform commands mentioned in step 6 for deploying a TrendAI Vison One™ Service Gateway VM instance to the specified Google Cloud project.
# Configure the current gcloud environment for Terraform gcloud config set project <project_name> gcloud auth application-default login # Deploy TrendAI Vision One™™ Service Gateway VM instance on Google Cloud Platform cd path/to/unzipped/folder terraform init terraform apply # There are two parameters to be input during the deployment: # var.goog_cm_deployment_name # The name of the deployment and VM instance. # var.project_id # The ID of the project in which to provision resources. # After providing values for these parameters, type `yes` to proceed.
-
-
- After the deployment is completed, go to screen.TrendAI Vison One™ Service Gateway is ready to connect and configure when Status shows the green check icon (
).
- Connect to the VM instance.
- Open a terminal on your local machine.
- Use the following command to sign into the Service Gateway appliance with the admin
account using gcloud.gcloud compute ssh admin@<vm_instance_name> --project=<gcp_project_name> --zone=<zone> --tunnel-through-iap

Note
If direct SSH connections to Google Cloud VM instances are not allowed on your Google Cloud project, the--tunnel-through-iapflag is required when connected to the Service Gateway appliance from your local machine using SSH.
- Configure and register the Service Gateway.
- Change your password.
- After the new password is applied, the Command Line Interface (CLI) appears.
- Type enable and press the ENTER key to enable administrative commands.The command prompt changes from > to #.
- Use the
configurecommand to configure the required network settings, such as the IP address and DNS settings. - Type the following command to register the Service Gateway virtual appliance to TrendAI Vision One™. register <registration_token>Use the registration token you obtained from Service Gateway Inventory.
- Use the CLI to configure other settings, if required.For more information on available commands, see Service Gateway CLI commands.
