...
You must have a GCP project with a VPC containing at least one private subnet.
The VPC must be configured for Cloud NAT to allow Blue Hexagon virtual appliances deployed in the private subnet to reach out to the Blue Hexagon cloud.
The Blue Hexagon deployment manager template creates a 0.0.0.0/0 outbound firewall rule to allow outbound communications with the Blue Hexagon cloud - do not remove this.
[Preferred] The
gcloudcommand line tool to deploy the Blue Hexagon for GCP Deployment Manager package. Follow instructions here to install. The following command may be useful.Code Block curl https://sdk.cloud.google.com | bash
GCP Security Audit Setup
Step 1: Enable API
Login to the GCP account you wish to connect with Blue Hexagon and enable (e.g. via cloud shell) the following APIs.
| Code Block |
|---|
gcloud services enable appengine.googleapis.com bigquery.googleapis.com cloudfunctions.googleapis.com cloudresourcemanager.googleapis.com cloudkms.googleapis.com compute.googleapis.com container.googleapis.com dataflow.googleapis.com dns.googleapis.com dataproc.googleapis.com iam.googleapis.com sqladmin.googleapis.com storage-component.googleapis.com recommender.googleapis.com monitoring.googleapis.com logging.googleapis.com serviceusage.googleapis.com |
Step 2: Create Service Account
Name the service account, e.g. bluehexagonsecurity
...
Viewer
Security Reviewer
Storage Object Viewer
Step 3: Create and Export JSON Key File
...
Step 4: Register JSON Key File with Blue Hexagon
Download the Blue Hexagon for GCP Deployment Manager package here.
Your welcome email should have the password to decrypt the package; if not, ask your Blue Hexagon representative for the same. Unzip the package using
unzipor equivalent.Run the following command (requires python3 – use GCP Cloud Shell if necessary)
Code Block cd bluehexagon ./bh_gcp_registration.py -l <YOUR-BLUEHEX-SAAS-LICENSE> -k <PATH-TO-DOWNLOADED-JSON-KEYFILE>
...