Google Cloud — gcloud CLI¶
Deploy the RTA with a single gcloud compute instances create command.
This is the fastest path — no Console navigation, no org-picker workaround,
and no image copy required.
Before you start
Review the Google Cloud overview. You'll need the image name
and your SSH public key from your engagement lead, the
Google Cloud SDK installed and
authenticated (gcloud auth login), and a GCP project with the Compute
Engine API enabled.
Create the instance¶
gcloud compute instances create rta-instance \
--project=YOUR_PROJECT_ID \
--zone=ZONE \
--machine-type=e2-standard-4 \
--image=IMAGE_NAME \
--image-project=srt-rta-images \
--boot-disk-size=40GB \
--boot-disk-type=pd-balanced \
--no-address \
--enable-display-device \
--metadata="ssh-keys=swag:$(cat ~/.ssh/your_key.pub)"
Replace the following placeholders:
| Placeholder | Value |
|---|---|
YOUR_PROJECT_ID |
Your GCP project ID (e.g. acme-pentest-2025) |
ZONE |
A zone in your preferred region (e.g. europe-west1-b) |
IMAGE_NAME |
The image name provided by your engagement lead |
--enable-display-device is required
Without this flag, the RTA console is inaccessible. There is no way to add the display device to a running instance — it must be set at create time.
Machine type
e2-standard-4 (4 vCPU / 16 GB) is recommended. Use e2-standard-2
(2 vCPU / 8 GB) only if resources are constrained — it meets the minimum
spec but will be slower during engagements.
--no-address vs. --no-address omitted
--no-address creates the instance without an external IP. The appliance
only needs outbound internet access through your VPC's Cloud NAT or an
existing internet gateway — no inbound ports need to be open.
Supply your SSH key¶
The example above injects the key via instance metadata (ssh-keys). If your
project already has a project-level SSH key for the swag user, you can omit
the --metadata flag entirely.
Alternatively, set a project-level default that applies to all new instances:
gcloud compute project-info add-metadata \
--project=YOUR_PROJECT_ID \
--metadata="ssh-keys=swag:$(cat ~/.ssh/your_key.pub)"
Verify¶
# Get the internal IP of the new instance
gcloud compute instances describe rta-instance \
--project=YOUR_PROJECT_ID \
--zone=ZONE \
--format='get(networkInterfaces[0].networkIP)'
# SSH from inside the VPC (or via your VPN)
ssh swag@<INTERNAL_IP>
The image is generic, so on first boot the appliance comes up in activation mode and shows an Appliance Registration screen with a one-time activation code — you normally do not need to log in at all. To read the activation code from the serial console (give it to your Sophos engagement lead to activate):
gcloud compute instances get-serial-port-output rta-instance \
--project=YOUR_PROJECT_ID \
--zone=ZONE
First-boot timing
cloud-init completes within 2 minutes on a healthy instance. If ssh
refuses connections for the first minute, that is normal — the swag user
is being provisioned. Retry after 90 seconds.
Network access¶
The appliance makes one connection to do its job: an outbound tunnel to the Sophos headend. Nothing inbound is ever required — you never open or forward any ports to the appliance.
Allow this outbound destination
| Destination | connect.remotetesting.secureworks.com |
| IP addresses | 3.33.194.251 and 15.197.255.2 (static — these do not change) |
| Port / protocol | TCP 443, carrying OpenVPN (not HTTPS) |
| Direction | Outbound only |
Allow egress on TCP/443 to that destination from the appliance's network. On a next-generation firewall or NAC-controlled network, an L3 "allow 443" rule is often not enough — Layer-7 application control, TLS/SSL decryption, or NAC can still drop the tunnel even when the port is open. See Connectivity Troubleshooting for the exact firewall and NAC exceptions to request.
Troubleshooting¶
Deployed but something isn't right?
See Google Cloud troubleshooting for the most common issues on this platform and how to fix them.