Quickstart: GCP

How Fusion integrates to GCP

Netography Fusion has the following integration points to GCP:

1. Fusion ingests VPC flow logs from GCP.
2. Fusion ingests asset context from GCP for context enrichment.
3. Fusion ingests Cloud DNS resolver logs from GCP.

Diagram of GCP integration to Fusion

See Diagram: GCP Integration to Fusion

Video Guides

See the GCP 🎥 Video Guidesto watch videos of the setup steps.

Steps to integrate to GCP

Each page in these instructions will walk you through the steps to integrate GCP with Netography Fusion:

• Enable VPC flow logs
• Create a Pub/Sub topic
• Create a Cloud Logging Sink Pub/Sub for the topic
• Logging sink design patterns
• Create a Pub/Sub Pull Subscription to the topic
• Give Netography's GCP service account permission to be added as a principal to the Pub/Sub subscription
• Add Netography's GCP service account as a principal for the Pub/Sub subscription
• Add GCP as a new traffic source in Netography Fusion
• Adding Context Integration for GCP to Netography Fusion
• Enabling Cloud DNS logging and adding Cloud DNS as a Traffic Source in Netography Fusion

Onboarding multiple projects and folders in a GCP organization

You can onboard an entire GCP organization or folder by following the steps outlined in these documents one time.

You only need to create 1 GCP Pub/Sub topic, 1 GCP Cloud aggregated Logging Sink, 1 GCP Pub/Sub Subscription, and 1 Fusion GCP flow source to onboard GCP VPC flow logs to Fusion for as many VPC, subnets, projects, and sub-folders you have in your GCP organization, or that are in a single folder in your GCP organization.

If you need more granular control over what enabled VPC flow logs should be routed to Netography, you can create 1 GCP Pub/Sub topic, 1 GCP Pub/Sub Subscription, 1 Fusion GCP flow source, and as many Cloud Logging Sinks as you need (eg 1 per project) all routed to the same topic.

Additional information on using an aggregated logging sink and its benefits and limitations are described in our document Logging sink design patterns.

🤖

Using Terraform to automate onboarding

Access Netography's Terraform automation at our GitHub repo: https://github.com/netography/neto-onboarding. For access to the repo, email your GitHub ID to [email protected].

The instructions linked from this page are suitable for onboarding one or a small number of cloud accounts manually or using as a reference for building automation for larger scale deployment. In addition to these instructions, Netography provides a Terraform project, neto-onboard, that provides Netography Fusion Cloud Onboarding Automation for AWS Organizations, Azure Tenants, and GCP Organizations.

Each cloud has 2 Terraform deployment options - full and simple.

The simple deployment deploys all the resources needed to integrate the cloud to Fusion and perform context enrichment in a deployment. You specify a target set of accounts/subscriptions/projects at deployment-time. You can redeploy the automation to change the scope of monitoring or when you need to onboard new accounts or networks to Fusion. This is suitable for a trial or if you have a relatively static cloud environment or one with a limited number of accounts and networks.

The full deployment provides the following:

• Enables and configure AWS VPC flow logs, Azure VNet flow logs, and GCP VPC flow logs based on a simple policy and tags that defines which VPC/VNet are in scope.
• Deploy all the infrastructure required to integrate to Fusion across multiple accounts (AWS), subscriptions (Azure), and projects (GCP) in a single deployment
• Adds VPCs/VNets configured for flow logging to Netography Fusion as traffic sources.
• Deploys a single AWS Lambda function, Azure Function, or Google Function that provides context enrichment across all the accounts/subscriptions/projects as an outbound push from your cloud to the Fusion API, eliminating the need to add context integrations from the Fusion portal, to grant Netography permissions to directly enumerate resource properties, or to add individual context integrations in Fusion for each cloud account.
• Monitor for VPC/VNet changes and trigger enabling and configuring flow logs, and onboarding to Fusion new VPCs/VNets that are in scope, and offboarding VPCs/VNets that are removed or no longer in scope.

, or using Netography's neto-onboarding Terraform automation.

If you have GCP organization policy constraints in place, you may be unable to perform these steps until you update the organizational policies.

If you receive an error referring to an organization policy, update the policy and retry. Updating an organization policy requires the Organization Policy Administrator role (roles/orgpolicy.policyAdmin).