Create a GCP Connector

Procedure

From the navigation pane, choose Manage > Connectors.

Click GCP Connector.

Click Enable for the first connector (in a root scope) or Enable Another for additional connectors in the same root scope.

Understand and meet requirements and prerequisites in Requirements and Prerequisites for GCP Connector and Managed Kubernetes Services Running on GCP (GKE), then click Get Started.

Enter a name for the connector and choose desired capabilities, then click Next.

Selections you make on this page are used only to determine the privileges included in the IAM policy list that will be generated in the next step, and to display the settings that you will need to configure.

If the Injest Flow Logs capabilities is checked, you must enter Flow Log Storage Bucket Name in the next step.

In order to enable Segmentation, you must check Gather Labels.

Create Service Accounts in the Google Cloud console.

Download the generated IAM custom role policy list.

This IAM custom role policy list has the IAM privileges required for the capabilities that you selected in the previous step.

If you have enabled the Kubernetes option, you must separately configure permissions for GKE.

For more information, see Managed Kubernetes Services Running on GCP (GKE).

Generate a Service Accounts custom role in the Google Cloud console; use the sample command below using Google Cloud CLI:

gcloud iam roles create <Role Name> --project=<Project id> --file=<File path>

Upload the service account json file with required capabilities that was created as a prerequisite.

In GCP, the single connector supports multiple projects and ensure that the service account is directly linked to all projects.

Enter the Flow Log Storage Bucket Name if the Ingress Flow logs capability is checked.

Enter the Root Resource Id, which is also the GCP folder ID or organization ID.

To obtain the Root Resource ID, navigating to the IAM & Admin, Settings section and you can view it directly in the Cloud Console. Alternatively, you can also utilize the Cloud SDK command to retrieve the Root Resource ID.

Configure the following settings:

Attribute	Description
HTTP Proxy	Proxy required for Secure Workload to reach GCP.
Full Scan Interval	Frequency with which Secure Workload refreshes complete inventory data from GCP. Default and minimum is 3600 seconds.
Delta Scan Interval	Frequency with which Secure Workload fetches incremental changes in inventory data from GCP. Default and minimum is 600 seconds.

Click Next.

The next page displays a Resource Tree where the user can expands to view various region and inside the region you can select or unselect the resource check boxes to obtain the list of VPCs and GKE clusters from GCP.

From the list of VPCs (Virtual Networks) and GKE clusters, choose the resources and their respective capabilities.

Generally, you should enable flow ingestion as soon as possible, so that Secure Workload can begin to collect enough data required to suggest accurate policies.

Generally, you should not choose Enable Segmentation during initial configuration. Later, when you are ready to enforce segmentation policy for specific VPCs, you can edit the connector and enable segmentation for those VPCs. See the Best Practices When Enforcing Segmentation Policy for GCP Inventory.

Click Create and wait a few minutes for the validation check to complete.

The View Groups page shows all VPCs that you enabled for any functionality on the previous page, grouped by logical_group_id (CSW), which is also a project_id (GCP). Each logical_group_id, and each VPC in each logical_group_id, is a new scope.

Choose the parent scope under which to add the new set of scopes. If you have not yet defined any scopes, your only option is the default scope.

To accept all settings configured in the wizard including the hierarchical scope tree, click Save.

To accept all settings, except the hierarchical scope tree, click Skip this step.

You can manually create or edit the scope tree later, under Organize > Scopes and Inventory.

What to do next

If you have enabled gathering labels, ingesting flow data, and/or segmentation:

If you enabled flow ingestion, it may take up to 25 minutes for flows to begin appearing on the Manage > Workloads > Connectors page.
(Optional) For richer flow data and other benefits including visibility into host vulnerabilities (CVEs), install the appropriate agent for your operating system on your VPC-based workloads. For requirements and details, see the agent installation chapter.
After you have successfully configured the GCP connector to gather labels and ingest flows, follow the standard process for building segmentation policies. For example: Allow Secure Workload to gather sufficient flow data to generate reliable policies; define or modify scopes (typically one for each VPC); create a workspace for each scope; automatically discover policies based on your flow data, and/or manually create policies; analyze and refine your policies; ensure that your policies meet the guidelines and best practices below; and then, when you are ready, approve and enforce those policies in the workspace. When you are ready to enforce segmentation policy for a particular VPC, return to the connector configuration to enable segmentation for the VPC. For details, see Best Practices When Enforcing Segmentation Policy for GCP Inventory.

If you have enabled the Kubernetes managed services (GKE) option:

Install Kubernetes agents on your container-based workloads. For more information, see Kubernetes/Openshift Agents–Deep Visibility and Enforcement.

Event Log:

The event logs can be used to know significant events happening per connector from different capabilities. We can filter them using various attributes like Component, Namespace, Messages and Timestamp.

Previous topic Create a New GCP Connector Next topic Edit a GCP Connector