Blue Hexagon for GCP - Terraform
To install Blue Hexagon Agentless Runtime Cloud Security powered by Deep Learning AI, you must have a valid Blue Hexagon NG-NDR license. To install Blue Hexagon Security Audit, you must have a valid Blue Hexagon SaaS license. Please contact your Blue Hexagon representative to obtain the necessary licenses. You can request a free trial license here.
Blue Hexagon Setup
Installation and deployment of Blue Hexagon Security Audit and Blue Hexagon Agentless Runtime Cloud Security powered by Deep Learning AI is done via GCP recommended Terraform templates. You can optionally install and deploy Blue Hexagon Security Audit and/or Blue Hexagon Agentless Runtime Cloud Security powered by Deep Learning AI, independently.
Prerequisites
Download the Blue Hexagon for GCP package here. Your welcome email will contain the GCP license key(s) and the password to decrypt the package.
Terraform (Blue Hexagon strongly recommends using GCP Cloud Shell which conveniently provides Terraform and other utilities.)
Unzip the Blue Hexagon for GCP package - enter the password when prompted.
$ unzip bluehexagon_gcp.zip Archive: bluehexagon_gcp.zip [bluehexagon_gcp.zip] password: inflating: bluehexagon/bh_gcp_registration.py inflating: bluehexagon/README.md inflating: bluehexagon/main.tf inflating: bluehexagon/terraform.tfvars inflating: bluehexagon/variables.tfAdd the necessary input values in the
terraform.tfvarsfile.
Key | Type | Description |
|---|---|---|
| String | Blue Hexagon NG-NDR license |
| String | Blue Hexagon SaaS license |
| String | Environment label |
| String | GCP Project ID in which you want to deploy Blue Hexagon |
| String | GCP Region in which you want to deploy Blue Hexagon |
| String | GCP Zone(s) in which you want to deploy Blue Hexagon |
| String | VPC Network in which you want to deploy Blue Hexagon |
| String | VPC Subnetwork in which you want to deploy Blue Hexagon |
| Integer | Minimum count of Blue Hexagon Inspection VMs |
| Integer | Maximum count of Blue Hexagon Inspection VMs |
| Boolean | Enable Blue Hexagon Security Audit |
| Boolean | Enable Blue Hexagon Threat Defense |
| Boolean | Enable Blue Hexagon Flow Logs Monitor |
Deploy via Terraform
# Run once terraform init # Deploy terraform apply [--auto-approve] # Destroy terraform destroy [--auto-approve]
Blue Hexagon Security Audit Setup
To enable Blue Hexagon Security Audit, set enable_security_audit in the provided terraform.tfvars file to true (default is false).
Blue Hexagon Flow Logs Monitor
To enable Blue Hexagon Flow Logs Monitor, set enable_flow_logs_monitor in the provided terraform.tfvars file to true (default is false).
Blue Hexagon Network Threat Defense Setup
This following steps deploy the Blue Hexagon for GCP solution with GCP Packet Mirroring. Blue Hexagon inspects network traffic generated by GCP Compute Engine and GCP Kubernetes Engine workloads to uncover and respond to threats in real-time.
A Blue Hexagon representative can assist you to deploy the solution.
Getting Started
Share the email ID of user or service account doing the deployment and share the email ID of the Google APIs Service Agent with your Blue Hexagon representative. Blue Hexagon will in turn share a custom Compute Engine image and add the provided email address as an Image User, as described here.
The Google APIs Service Agent is a Google-managed service account used to access the APIs of Google Cloud Platform services. You may find it in GCP Console -> IAM -> Principals and will be of this format: {PROJECT_ID}@cloudservices.gserviceaccount.com.
Prerequisites
You must have a GCP project with a VPC containing at least one private subnet.
The VPC must be configured for Cloud NAT to allow Blue Hexagon virtual appliances deployed in the private subnet to reach out to the Blue Hexagon cloud.
The Blue Hexagon Terraform templates create a 0.0.0.0/0 outbound firewall rule to allow outbound communications with the Blue Hexagon cloud - do not remove this.
Deployment
Blue Hexagon is deployed as an autoscaling managed instance group behind an internal load balancer in a subnet in your VPC.
Packet Mirroring Configuration
Follow the steps below in the GCP console to configure GCP Packet Mirroring to direct traffic from your source workloads in GCP Compute Engine and GCP Kubernetes Engine to Blue Hexagon deployed in the previous steps.
Go to VPC network > Packet mirroring.
Create a new Packet Mirroring policy.
Define policy overview.
Select VPC network containing workloads to mirror.
Specify the traffic source that will be mirrored. You can specify the source by selecting:
one or more subnets (as shown in this example),
instances with matching tags, or
individual instances (VMs).
Select the newly created internal load balancer (forwarding rule) as the destination of packet mirroring.
You can choose to mirror all traffic (default and recommended) or mirror only specific protocols / IP ranges as shown below.
Mirror Only Internet Traffic
GCP Packet Mirroring currently does not support negative filters supporting the “not” condition, e.g. not 10.0.0.0/8. To work around this and mirror only internet traffic, specify a filter that includes public CIDR blocks and excludes 10.0.0.0/8 internal traffic. IP ranges to use:128.0.0.0/1 64.0.0.0/2 32.0.0.0/3 16.0.0.0/4 0.0.0.0/5 12.0.0.0/6 8.0.0.0/7 11.0.0.0/8
NOTE: Each CIDR block needs to be added one by one for GCP to recognize it. The whole string above cannot be cut and pasted.
Cross-VPC Packet Mirroring
You can set up cross-VPC (and cross-project) Packet Mirroring by following the steps described in the GCP Packet Mirroring documentation.
Peering needs to be setup both ways from network1 to network2 and vice-versa
Shared VPC Packet Mirroring
You can set up packet mirroring in a Shared VPC setting by following the steps described in the GCP Packet Mirroring documentation.
Intranode visibility
You can setup packet mirroring to show intranode visibility (internal to containers)
https://cloud.google.com/kubernetes-engine/docs/how-to/intranode-visibility?hl=en
Verify Setup
If Blue Hexagon and Packet Mirroring are setup correctly, you will see observations in the Blue Hexagon portal from the gcp appliance in the Discover view as shown below.
Blue Hexagon Proprietary