Create a New GCP Connector
Procedure
| 1 |
From the navigation pane, choose . |
||
| 2 |
Click GCP Connector. |
||
| 3 |
Click either of the options to create a new GCP connector:
|
||
| 4 |
Get Started Guide: Use this option to gather labels and flow data from GKE clusters. Before you configure this connector, see:
|
||
| 5 |
Click Get Started. For more information, see Edit a New GCP Connector. |
||
| 6 |
Click Generate Templates. Cisco Secure Workload requires relevant permissions to access and read flow logs settings and perform policy enforcement. Based on the capability selections, a Cloud Deployment Manager template is auto-generated. Use this template to apply the relevant permissions to the desired user. Copy or paste commands to create the recommended built-in role on GCP CLI. Select activities to be performed with Cisco Secure Workload on your GCP Resources.
|
||
| 7 |
Create new Service Accounts and grant IAM roles to service accounts in the Google Cloud console. Use IAM roles with custom service accounts to-
|
||
| 8 |
Create and manage service accounts using the Identity and Access Management (IAM) API, and the Google Cloud console. |
||
| 9 |
In addition to basic roles ( viewer, editor, owner) and custom roles, assign the Compute Engine predefined roles to the members of your project:
|
||
| 10 |
Create and manage Google Cloud resources and services directly on the command line or through scripts using the Google Cloud CLI. You can either Copy or Download the template. |
What to do next
If you have enabled Context Gathering, Ingest Flow Logs, Segmentation, and or Managed Kubernetes Services:
-
If you enabled flow ingestion, it may take up to 25 minutes for flows to begin appearing on the page.
-
(Optional) For richer flow data and other benefits including visibility into host vulnerabilities (CVEs), install the appropriate agent for your operating system on your VPC-based workloads. For requirements and details, see the agent installation chapter.
-
After you have successfully configured the GCP connector to gather labels and ingest flows, follow the standard process for building segmentation policies. For example: Allow Secure Workload to gather sufficient flow data to generate reliable policies; define or modify scopes (typically one for each VPC); create a workspace for each scope; automatically discover policies based on your flow data, and/or manually create policies; analyze and refine your policies; ensure that your policies meet the guidelines and best practices below; and then, when you are ready, approve and enforce those policies in the workspace. When you are ready to enforce segmentation policy for a particular VPC, return to the connector configuration to enable segmentation for the VPC.
For more information, see Best Practices When Enforcing Segmentation Policy for GCP Inventory.
If you have enabled Managed Kubernetes Services (GKE) option:
-
Install Kubernetes agents on your container-based workloads. For more information, see Kubernetes/Openshift Agents–Deep Visibility and Enforcement.
Event Log:
The event logs can be used to know significant events happening per connector from different capabilities. We can filter them using various attributes like Component, Namespace, Messages and Timestamp.