Discovering Google Cloud Platform
You can access and configure your services by using the . BMC Helix Discovery enables you to discover your cloud services running in Google Cloud Platform (GCP).
Creating a credential
To perform discovery in GCP, you must provide an Access Key (credential) with the help of which BMC Helix Discovery can access the GCP cloud. You can create the Access Key through the . Then, add the cloud discovery credential by using the access key created in the IAM console to BMC Helix Discovery.
To create an Access Key in the IAM console
- Create a new service account used for discovery users with the Viewer role, which provides read access to all resources:
- Select JSON to furnish a new private key in JSON format (the access keys are used to make secure queries to the GCP APIs).
You can download the Access Private Key as a JSON file and import it when you create a cloud credential in BMC Helix Discovery.
If you lose the Secret Access Key, you cannot retrieve it from the IAM console. In such a case, you should create a new Access Key and use this key in the BMC Helix Discovery cloud credential. It is recommended to keep a note of the Secret Access Key until you have successfully tested the cloud credential.
- (Optional) If you want to use one service account to scan multiple Google Projects, in the
cloud resource manager, add this service account to corresponding Google Projects with a role (Project → Viewer):
To create a cloud credential in BMC Helix Discovery
Create the cloud credential in the same way as any other credential. The cloud credential uses the Access Keys, IDs or passwords as the equivalent of a username and password combination.
- On the BMC Helix Discovery Device Credentials page, click Add and select Cloud Provider.
- On the Add Credential page, click the plus icon next to Credential Types to see the available cloud providers.
- Select Google Cloud Platform.
- Add the usual credential information:
- Add the Service Account Key.
- (Optional) Specify a proxy to use to access. To use a proxy, you must specify the following:
- Username (only for authenticating proxies)
- Password (only for authenticating proxies)
(Optional) The TLS Certificate Check option can be disabled if your proxy uses self-signed certificates.
If you disable the certificate check, your credentials might be intercepted by a man-in-the-middle attack.
- Click Apply.
To test the credential
After you have created the credential, you should test it to ensure that it works:
On the credentials page, click Devices.
- Filter the list to show cloud credentials.
- Click Actions for the GCP cloud credential you added, and then click Test.
- The default region is US East 1 (S. Carolina).
- Click Test.
The following screenshot shows a successful test:
If the credential test is unsuccessful, click on the Failure status to see the details. Ensure that you copy the Secret Access Key correctly. Also, you should ensure that the appliance time is no longer than five minutes of the time GCP uses. The BMC Helix Discovery appliance must be able to access GCP by using HTTPS (port 443).
Time synchronization is essential. You need to ensure that your appliance time is synchronized through Network Time Protocol (NTP). If you do not use NTP, ensure the time is no further than five minutes from when GCP is used. GCP uses timestamped authentication, and any discrepancy results in authentication failures.
To run a cloud scan
To perform cloud discovery from the Discovery Status page, use the Add New run control. After that, perform the following steps:
- Click Add New run.
The Add a Cloud Run dialog is displayed.
- Enter a Label for the cloud discovery run.
- To add a scheduled cloud run, select Scheduled and fill in the scheduling information as with typically scheduled discovery runs.
- Select Cloud.
- Select Google Cloud Platform as a provider.
- Select the appropriate cloud credential. If none are available, add a new one.
- Select the region to scan, for example, GCP, US East 1 (S. Carolina). You can also select all regions by clicking All.
- Click OK.
To verify results
When you have performed a cloud scan, check the results as represented in the following screenshot:
The following screen represents a BMC Helix Discovery view of the scanned results:
Scanning the hosts running the VMs in the cloud
Perform a regular scan on the hosts running the VMs discovered in the cloud scan. To find these hosts, on the Cloud Overview dashboard, use the Unscanned Cloud Hosts report. Scanning the hosts assumes that the appliance or proxy has network access to hosts running in the cloud; for example, using a VPN. Public IP addresses do not respond to ICMP pings. It is recommended to disable Ping before scanning. Otherwise, all scans are dropped, reporting no response.
You can discover all supported databases in GCP. The following databases are supported:
- Cloud Bigtable
- Cloud SQL:
- SQL Server
- Firebase Realtime Database
The following information is required to discover databases in GCP:
- Endpoint — You can identify the database endpoint by using the RDS Dashboard in the GCP Console.
- Security groups:
- If the endpoint is publicly accessible, you still should set up a security group with a rule to allow access from the IP address from which BMC Helix Discovery connects.
If the database is not publicly accessible, discovery should be running in GCP. You should set up security to allow access from the Virtual Private Cloud (VPC) that BMC Helix Discovery is running on and be a part of a security group with a rule to allow access from the IP address BMC Helix Discovery connects to.
In GCP, all security groups prevent access by default, you should enable access ports in a security group before any access is allowed.
To summarize, you should configure security groups that enable the BMC Helix Discovery appliance to access the database. This depends on how you have configured your GCP cloud services.
- Incoming connections — You should permit incoming connections with a rule for an IP address or set of IP addresses. For example, to permit access to a MySQL database from a single IP address, add a rule with the following parameters:
- Type — MySQL
- Protocol — TCP
- Port Range — 3306
- Source — 22.214.171.124/32
Then, the database can be discovered as any of your other MySQL databases.
BMC Helix Discovery database credential
To discover a Database, appropriate Database credentials must be created.
GCP discovery patterns
The GCP discovery patterns are available on the Manage > Knowledge page. They are in the Pattern modules list under Cloud > Google Cloud Platform.
GCP labels discovery
GCP labels are modeled as tag attributes.
Timeout error while scanning on a virtual machine
The timeout error might occur during a scan of all Google regions when IPv6 is enabled on a VM machine or from AWS Outposts, but IPv6 addresses are not working in your network.
- Check if IPv6 is enabled by executing the following command:
ifconfig lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host>
2. Check if IPv6 is working by executing the following commands:
[root@centos ~]# ping6 accounts.google.com PING accounts.google.com(muc11s02-in-x0d.1e100.net (2a00:1450:4016:801::200d)) 56 data bytes 64 bytes from muc11s02-in-x0d.1e100.net (2a00:1450:4016:801::200d): icmp_seq=1 ttl=55 time=7.31 ms
[root@centos ~]# ping6 www.googleapis.com PING www.googleapis.com(fra16s14-in-x0a.1e100.net (2a00:1450:4001:81a::200a)) 56 data bytes 64 bytes from fra16s14-in-x0a.1e100.net (2a00:1450:4001:81a::200a): icmp_seq=1 ttl=58 time=0.848 ms
3. If IPv6 is enabled and active, you should disable it by executing the following commands:
sysctl -w net.ipv6.conf.all.disable_ipv6=1 sysctl -w net.ipv6.conf.default.disable_ipv6=1
You can also try using the PowerShell tool to disable the IPv6 for scanning from AWS Outposts. To do so, perform the following steps:
- Open the PowerShell as administrator.
- Execute the following command to get all the network adapter names with IPv6 enabled:
Get-NetAdapterBinding -ComponentID ms_tcpip6
3. Disable IPv6 on a specific network adapter by executing the following command.
Disable-NetAdapterBinding -Name "NetAdapterName" -ComponentID ms_tcpip6 #Replace "NetAdapterName" with the actual network adapter name that you got with the earlier command.
4. (Optional) To turn off IPv6 on all network adapters, execute the following PowerShell command:
Disable-NetAdapterBinding -Name "*" -ComponentID ms_tcpip6
5. Close the PowerShell window.