Skip to content

Google Cloud — Cloud Console (GUI)

Deploy the RTA entirely from the GCP Cloud Console. You'll navigate to Compute Engine, create a new VM instance, and select our shared image as the boot disk — no CLI tools required.

Before you start

Review the Google Cloud overview. You'll need the image name and your SSH public key from your engagement lead, and a GCP project with the Compute Engine API enabled.

1. Open VM Instances

  1. Go to Compute Engine → VM instances in your GCP project.
  2. Click Create instance.

2. Configure name, region, and machine type

  1. Enter a name for the instance (e.g. rta-instance).
  2. Choose a Region and Zone close to your engagement targets.
  3. Under Machine configuration, set Machine type to e2-standard-4 (4 vCPU / 16 GB). Use e2-standard-2 only if resources are constrained.

3. Select the shared boot image

  1. Under Boot disk, click Change.
  2. Select the Custom images tab.

  3. Open the Source project dropdown.

    Switch the organization filter first

    The picker defaults to your organization. srt-rta-images is a Sophos-owned project outside your org — it will not appear until you change the filter. At the top of the dropdown, set the organization selector to "No organization" or "All", then search for srt-rta-images and select it.

  4. In the Image list, select the image name provided by your engagement lead (e.g. <IMAGE_NAME>).

  5. Confirm Boot disk size is 40 GB.
  6. Click Select.

4. Enable the display device

  1. In the left-hand section list, click Observability (or scroll down to the Observability section).
  2. Check Enable display device.

Do not skip this step

The display device is disabled by default. Without it, the RTA console is inaccessible. You cannot enable it after the instance is created — you must set it at create time.

5. Configure networking

  1. Click Networking in the section list.
  2. Under Network interfaces, select an existing VPC network and subnetwork that has outbound internet access.
  3. Set External IPv4 address to None — the appliance only needs outbound access and does not require a public IP.

6. Add your SSH key

  1. Click Security in the section list (or expand Advanced options → Security).
  2. Under Manage access, click Add item under SSH keys.
  3. Paste your public SSH key. The username embedded in the key will be used; if it does not already read swag, the appliance still creates the swag user on first boot via cloud-init — you can SSH as swag.

Project-level SSH keys

If your GCP project already has project-level SSH keys and one of them corresponds to the swag user, you don't need to add an instance-level key.

7. Create the instance

Click Create. GCP will start the instance within a minute or two.

Verify

The instance has no external IP. Because the image is generic, the appliance comes up in activation mode on first boot and shows an Appliance Registration screen with a one-time activation code. To read it and activate the appliance:

  1. In VM instances, note the Internal IP of your new instance.
  2. Open the instance and go to Observability → Serial port 1 (console) (or Logs → Serial port output) to read the activation code. Give the code to your Sophos engagement lead to activate the appliance.

  3. If you need shell access, SSH from a host inside the same VPC (or via your VPN):

    ssh swag@<INTERNAL_IP>

First-boot console output

The Appliance Registration screen with the activation code on the serial console is normal and expected. Once your engagement lead activates the appliance, it provisions itself and the console switches to the live status dashboard.

Network access

The appliance makes one connection to do its job: an outbound tunnel to the Sophos headend. Nothing inbound is ever required — you never open or forward any ports to the appliance.

Allow this outbound destination
Destination connect.remotetesting.secureworks.com
IP addresses 3.33.194.251 and 15.197.255.2 (static — these do not change)
Port / protocol TCP 443, carrying OpenVPN (not HTTPS)
Direction Outbound only

Allow egress on TCP/443 to that destination from the appliance's network. On a next-generation firewall or NAC-controlled network, an L3 "allow 443" rule is often not enough — Layer-7 application control, TLS/SSL decryption, or NAC can still drop the tunnel even when the port is open. See Connectivity Troubleshooting for the exact firewall and NAC exceptions to request.

Troubleshooting

Deployed but something isn't right?

See Google Cloud troubleshooting for the most common issues on this platform and how to fix them.