This is a diagram that I have used for the lab.
![](https://tungle.ca/wp-content/uploads/2022/04/image-832.png)
Create a new VPC network on GCP.
![](https://tungle.ca/wp-content/uploads/2022/04/image-828.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-829.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-831.png)
Search VPN keyword on the search function.
Click “Create VPN connection”.
![](https://tungle.ca/wp-content/uploads/2022/04/image-833-1024x338.png)
Select Classic VPN.
![](https://tungle.ca/wp-content/uploads/2022/04/image-834.png)
Select tung-vpc on the network setting.
Create a new static IP address for your VPC.
![](https://tungle.ca/wp-content/uploads/2022/04/image-837.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-838.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-839.png)
Delete tunnel 2 because I have only used tunnel 1 in this lab. Then click Create.
![](https://tungle.ca/wp-content/uploads/2022/04/image-841.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-842-1024x401.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-843-1024x782.png)
Click gpc-pa-tunnel-1.
![](https://tungle.ca/wp-content/uploads/2022/04/image-844.png)
Edit the Routes to allow traffic from my tung-vpc network to the Internet via the Default Internet gateway.
![](https://tungle.ca/wp-content/uploads/2022/04/image-846.png)
We can see the static route from privatesubnet on GCP to the LAN subnets on Palo Alto has been created on the Routes section.
![](https://tungle.ca/wp-content/uploads/2022/04/image-878-1024x679.png)
Check the Firewall and allow SSH from the Internet to Linux instance on the “privatesubnet”.
![](https://tungle.ca/wp-content/uploads/2022/04/image-847.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-848.png)
I have used “Allow all” to allow SSH from the Internet to Linux instance, We are able to change to only allow SSH protocol or port 22. Click Create.
![](https://tungle.ca/wp-content/uploads/2022/04/image-876-1024x567.png)
Search “compute engine”, and click create an instance.
![](https://tungle.ca/wp-content/uploads/2022/04/image-852.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-855.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-854.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-856.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-857.png)
On network interfaces.
![](https://tungle.ca/wp-content/uploads/2022/04/image-853.png)
Click create.
![](https://tungle.ca/wp-content/uploads/2022/04/image-858.png)
Open SSH in browser windows on the Linux instance.
![](https://tungle.ca/wp-content/uploads/2022/04/image-869-1024x446.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-870.png)
Back to Palo Alto.
IKECrypto.
![](https://tungle.ca/wp-content/uploads/2022/04/image-859.png)
IPSECCrypto.
![](https://tungle.ca/wp-content/uploads/2022/04/image-860.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-861.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-862.png)
IPSECTunnel.
![](https://tungle.ca/wp-content/uploads/2022/04/image-863.png)
Create both network objects for the Palo Alto-LAN subnet and GCP-LAN subnet
![](https://tungle.ca/wp-content/uploads/2022/04/image-865.png)
Create both access rules to allow traffic from Palo Alto LAN subnets to GCP privatesubnet.
![](https://tungle.ca/wp-content/uploads/2022/04/image-864.png)
This is the network interface on PA.
![](https://tungle.ca/wp-content/uploads/2022/04/image-867.png)
Create a new static route to allow traffic from PA LAN subnets to GCP privatesubnet.
![](https://tungle.ca/wp-content/uploads/2022/04/image-868.png)
Then, click commit.
Back to GCP.
Ping Kali machine on PA LAN subnet from the Linux instance on GCP.
![](https://tungle.ca/wp-content/uploads/2022/04/image-872.png)
On Kali machine, ping Linux instance on GCP.
![](https://tungle.ca/wp-content/uploads/2022/04/image-873.png)
The Palo Alto VPN site-to-site tunnel with GCP is up.
![](https://tungle.ca/wp-content/uploads/2022/04/image-874.png)
The IPSEC VPN site-to-site tunnel is up on GCP as well.
![](https://tungle.ca/wp-content/uploads/2022/04/image-875-1024x362.png)