Table of Contents |
---|
Introduction
This document describes the steps needed to
Note |
---|
To complete the steps below, you must have a valid Blue Hexagon SaaS license. Please contact your Blue Hexagon representative to obtain a license. You can request a free trial license here. |
Blue Hexagon Setup
GCP Security Audit Setup
The first step to protecting your cloud with Blue Hexagon Agentless Runtime Cloud Security powered by Deep Learning AI is to connect Blue Hexagon with your GCP project(s). Follow the steps here:
Connect GCP Account with Blue Hexagon
Blue Hexagon Network Threat Defense Setup
This following steps deploy the Blue Hexagon for GCP solution with GCP Packet Mirroring. Blue Hexagon inspects network traffic generated by GCP Compute Engine and GCP Kubernetes Engine workloads to uncover and respond to threats in real-time.
A Blue Hexagon representative can assist you to deploy the solution.
Deployment
Getting Started
Share your GCP project or Compute Engine service account email address with your Blue Hexagon representative. Blue Hexagon will in turn share a custom Compute Engine image and add the provided email address as an Image User, as described here.
Prerequisites
You must have a GCP project with a VPC containing at least one private subnet.
The VPC must be configured for Cloud NAT to allow Blue Hexagon virtual appliances deployed in the private subnet to reach out to the Blue Hexagon cloud.
The Blue Hexagon deployment manager template creates a 0.0.0.0/0 outbound firewall rule to allow outbound communications with the Blue Hexagon cloud - do not remove this.
[Preferred] The
gcloud
command line tool to deploy the Blue Hexagon for GCP Deployment Manager package. Follow instructions here to install. The following command may be useful.Code Block curl https://sdk.cloud.google.com | bash
GCP Security Audit Setup
Step 1: Enable API
Login to the GCP account you wish to connect with Blue Hexagon and enable (e.g. via cloud shell) the following APIs.
Code Block |
---|
gcloud services enable appengine.googleapis.com bigquery.googleapis.com cloudfunctions.googleapis.com cloudresourcemanager.googleapis.com cloudkms.googleapis.com compute.googleapis.com container.googleapis.com dataflow.googleapis.com dns.googleapis.com dataproc.googleapis.com iam.googleapis.com sqladmin.googleapis.com storage-component.googleapis.com recommender.googleapis.com monitoring.googleapis.com logging.googleapis.com serviceusage.googleapis.com |
Step 2: Create Service Account
Name the service account, e.g. bluehexagonsecurity
Grant the service account the following permissions:
Viewer
Security Reviewer
Storage Object Viewer
Step 3: Create and Export JSON Key File
...
Share the JSON key file with your Blue Hexagon representative, who will complete the registration for you.
Deploying Blue Hexagon Network Threat Defense
...
Deployment
Blue Hexagon is deployed as an autoscaling managed instance group behind an internal load balancer in a subnet in your VPC.
You will receive a welcome email from Blue Hexagon with the following information:
Blue Hexagon for GCP license key
Password to decrypt the Blue Hexagon for GCP Deployment Manager solution package
Download the Blue Hexagon for GCP Deployment Manager package here. Your welcome email should have the password to decrypt the package; if not, ask your Blue Hexagon representative for the same.
Unzip the downloaded package - enter the password when prompted.
Code Block $ unzip bluehexagon_gcp.zip Archive: bluehexagon_gcp.zip [bluehexagon_gcp.zip] password: inflating: bluehexagon/bluehexagon-instance-template.jinja inflating: bluehexagon/README.md inflating: bluehexagon/bluehexagon-instance-template.jinja.schema inflating: bluehexagon/bluehexagon.jinja inflating: bluehexagon/bluehexagon.jinja.schema
Deploy using the
gcloud
command line tool. Replace the following in thegcloud
command line to suit your needs:bhdemo
with the desired name of your GCP Deployment Manager stackprojects/
...
{project id}/global/networks/dev1
with the name of the VPC in which you want to deploy Blue Hexagon.regions/us-west2/subnetworks/private
with the name of the subnet in which you want to deploy Blue Hexagonus-west2
with the region in which you want to deploy Blue HexagonYOUR_LICENSE_KEY
with the Blue Hexagon for GCP license key in your welcome emailCode Block language bash $ cd bluehexagon $ gcloud deployment-manager deployments create bhdemo --template bluehexagon.jinja --properties network:projects/{project id}/global/networks/{vpc network name}, subnet:regions/us-west2/subnetworks/{private subnet name}, region:{region}, bluehexagonLicenseKey:{BLUE HEXAGON THREAT LICENSE}, vmImage:projects/bh-assets-289216/global/images/bh-gcp-3-0-0-bhap-1241
An example command would look like
Code Block |
---|
$ cd bluehexagon $ gcloud deployment-manager deployments create bhdemo --template bluehexagon.jinja --properties network:projects/{project id}/global/networks/dev1, subnet:regions/us-west2/subnetworks/private, region:us-west2, bluehexagonLicenseKey:{API-KEY}, vmImage:projects/bh-assets-289216/global/images/bh-gcp-3-0-0-bhap-1241 |
Tip |
---|
On success, you can check to see that the internal load balancer has been created along with a healthy backend managed instance group, as shown in the screenshots below. |
Packet Mirroring Configuration
Info |
---|
The following steps describe how to configure GCP Packet Mirroring to direct traffic from your source workloads to Blue Hexagon for inspection. For more details and troubleshooting, refer to the GCP Packet Mirroring documentation. |
...
You can choose to mirror all traffic (default and recommended) or mirror only specific protocols / IP ranges as shown below.
...
Mirror Only Internet Traffic
GCP Packet Mirroring currently does not support negative filters supporting the “not” condition, e.g. not 10.0.0.0/8. To work around this and mirror only internet traffic, specify a filter that includes public CIDR blocks and excludes 10.0.0.0/8 internal traffic. IP ranges to use:128.0.0.0/1 , 64.0.0.0/2 , 32.0.0.0/3 , 16.0.0.0/4 , 0.0.0.0/5 , 12.0.0.0/6 , 8.0.0.0/7 , 11.0.0.0/8
NOTE: Each CIDR block needs to be added one by one for GCP to recognize it. The whole string above cannot be cut and pasted.
Cross-VPC Packet Mirroring
You can set up cross-VPC (and cross-project) Packet Mirroring by following the steps described in the GCP Packet Mirroring documentation.
Peering needs to be setup both ways from network1 to network2 and vice-versa
...
Shared VPC Packet Mirroring
You can set up packet mirroring in a Shared VPC setting by following the steps described in the GCP Packet Mirroring documentation.
Intranode visibility
You can setup packet mirroring to show intranode visibility (internal to containers)
https://cloud.google.com/kubernetes-engine/docs/how-to/intranode-visibility?hl=en
Verify Setup
If Blue Hexagon and Packet Mirroring are setup correctly, you will see observations in the Blue Hexagon portal from the gcp
appliance in the Discover view as shown below.
...