Discovering Google Cloud Platform

You can access and configure your services by using the Cloud ConsoleBMC Helix Discovery enables you to discover your cloud services running in Google Cloud Platform (GCP). 

Related topics

Adding credentialsDiscovering cloud services

Discovering-Cloud-Tags

Supported-Cloud-Providers

Supported-Google-Cloud-Regions


Before you begin

For an appliance to collect data and discover GCP, the following prerequisites are required:

  • In the Google Cloud console, enable Cloud Resource Manager API. For more details, seeCloud Resource Manager API.

  • In the Google Cloud console, enable an appropriate Google Cloud API for each GCP service that you want to discover. For detailed steps on how to enable APIs for GCP services and obtain permissions, seeCloud APIs.

Important

GCP performance was significantly enhanced by decreasing the number of authentications (new token acquiring) and optimized re-usage of connection pools.

Creating a credential

To perform discovery in GCP, you must provide an Access Key (credential) with the help of which BMC Helix Discovery can access the GCP cloud. You can create the Access Key through the GCP Identity and Access Management (IAM) console. Then, add the cloud discovery credential by using the access key created in the IAM console to BMC Helix Discovery.

To create an Access Key in the IAM console

  1. Create a new service account used for discovery users with the Viewer role, which provides read access to all resources:
    image2018-7-18_14-23-15.png

  2. Select JSON to furnish a new private key in JSON format (the access keys are used to make secure queries to the GCP APIs).
    image2018-7-18_14-28-38.png

  3. You can download the Access Private Key as a JSON file and import it when you create a cloud credential in BMC Helix Discovery.

    If you lose the Secret Access Key, you cannot retrieve it from the IAM console. In such a case, you should create a new Access Key and use this key in the BMC Helix Discovery cloud credential. It is recommended to keep a note of the Secret Access Key until you have successfully tested the cloud credential.

  4. (Optional) If you want to use one service account to scan multiple Google Projects, in thecloud resource manager cloud resource manager, add this service account to corresponding Google Projects with a role (Project → Viewer):
    image2018-7-18_16-23-2.png

To create a cloud credential in BMC Helix Discovery

Create the cloud credential in the same way as any other credential. The cloud credential uses the Access Keys, IDs or passwords as the equivalent of a username and password combination.

  1. On the BMC Helix Discovery Device Credentials page, click Add and select Cloud Provider.
  2. On the Add Credential page, click the plus icon next to Credential Types to see the available cloud providers.
  3. Select Google Cloud Platform.
  4. Add the usual credential information:
    • Label
    • Description
  5. Add the Service Account Key.
  6. (Optional) Specify a proxy to use to access. To use a proxy, you must specify the following:
    • Hostname
    • Port
    • Username (only for authenticating proxies)
    • Password (only for authenticating proxies)

  7. (Optional) The TLS Certificate Check option can be disabled if your proxy uses self-signed certificates. 

    Important

    If you disable the certificate check, your credentials might be intercepted by a man-in-the-middle attack.

  8. Click Apply.

To test the credential

After you have created the credential, you should test it to ensure that it works:

  1. On the credentials page, click Devices.
  2. Filter the list to show cloud credentials.
  3. Click Actions for the GCP cloud credential you added, and then click Test.
  4. The default region is US East 1 (S. Carolina)
  5. Click Test.
    The following screenshot shows a successful test:
    image2018-7-18_18-22-21.png

If the credential test is unsuccessful, click on the Failure status to see the details. Ensure that you copy the Secret Access Key correctly. Also, you should ensure that the appliance time is no longer than five minutes of the time GCP uses. The BMC Helix Discovery appliance must be able to access GCP by using HTTPS (port 443).

Time setting

Time synchronization is essential. You need to ensure that your appliance time is synchronized through Network Time Protocol (NTP). If you do not use NTP, ensure the time is no further than five minutes from when GCP is used. GCP uses timestamped authentication, and any discrepancy results in authentication failures.

To run a cloud scan

To perform cloud discovery from the Discovery Status page:

  1. Select Manage > Discovery.
  2. Click Add New Run
    The Add a New Run modal window is displayed.
    GCP cloud run.png

  3. Update the fields as described in the following table:

Field name

Details

Label

Enter a label for the discovery run. This label is shown where the discovery run is referred to in the UI.

Timing

Select Snapshot to run an immediate cloud scan, or select Scheduled and fill in the scheduling information to run a scheduled cloud run.

Targeting

Select the target for the discovery run. In this case, select Cloud.

Provider

Specify the type of cloud provider. In this case, select Google Cloud Platform. The modal window refreshes with fields appropriate to the provider selected.

Credential

Select the credential to use for the discovery run. The list is populated with valid credentials for the selected provider. If none are available, add a new one.

Regions

Click List of regions to scan for a complete list and select regions to scan; for example, US East 1 (S. Carolina). GCP also provides service and regulatory domain groups to scan, enabling you to select all regions in that service or domain.

Identity-Aware Proxy Sessions

Select whether to enable the use of the GCP Identity-Aware Proxy for the scan.

Active Sessions

Select the number of active GCP sessions permitted each second. The default value is fifty.

Session Logging

Choose whether to enable session logging for this scan. Session logging captures raw discovery data that can be used to diagnose discovery and data quality issues. The default is not to capture session logs.
You only need to capture session logs when raising a customer support case. This option is not available for Scheduled runs. For information on viewing session logs, see If you encounter a problem.

      4. Click OK to save the cloud scan settings and close the modal window.If you have configured a snapshot run, you can see it running immediately in the Currently Processing Runs tab. If you have configured a scheduled run, it is listed in the Scheduled Runs tab.

To verify results

When you have performed a cloud scan, verify the results as represented in the following screenshot:

image2018-7-19_11-58-17.png

The following screenshot represents a BMC Helix Discovery view of the scanned results:

image2018-7-19_11-56-47.png

Scanning the hosts

You can perform a GCP host scan in the following ways:

  • A regular IP scan that discovers hosts only. For more information, see Performing a discovery run.

  • An implicit cloud scan by using GCP IAP (Identity-Aware Proxy). This scan discovers VMs and related hosts. To initiate this type of scan, enable the Identity-Aware Proxy Sessions feature when you configure a cloud discovery run. For more information, see Discovering hosts in GCP by using IAP.

Database discovery

You can discover all supported databases in GCP. The following databases are supported:

  • BigQuery
  • Cloud Bigtable
  • Cloud SQL:
    • MySQL
    • PostgreSQL
    • SQL Server
  • Firebase Realtime Database
  • Memorystore:
    • Redis

The following information is required to discover databases in GCP:

  • Endpoint  You can identify the database endpoint by using the RDS Dashboard in the GCP Console. 
  • Security groups:
    • If the endpoint is publicly accessible, you still should set up a security group with a rule to allow access from the IP address from which BMC Helix Discovery connects.

    • If the database is not publicly accessible, discovery should be running in GCP. You should set up security to allow access from the Virtual Private Cloud (VPC) that BMC Helix Discovery is running on and be a part of a security group with a rule to allow access from the IP address BMC Helix Discovery connects to.

      In GCP, all security groups prevent access by default, you should enable access ports in a security group before any access is allowed.

    • To summarize, you should configure security groups that enable the BMC Helix Discovery appliance to access the database. This depends on how you have configured your GCP cloud services.
  • Incoming connections — You should permit incoming connections with a rule for an IP address or set of IP addresses. For example, to permit access to a MySQL database from a single IP address, add a rule with the following parameters:
    • Type — MySQL
    • Protocol — TCP
    • Port Range — 3306
    • Source — 77.168.1.100/32

Then, the database can be discovered as any of your other MySQL databases.

BMC Helix Discovery database credential

Important

To discover a Database, appropriate Database credentials must be created.

GCP discovery patterns

The GCP discovery patterns are available on the Manage > Knowledge page. They are in the Pattern modules list under Cloud > Google Cloud Platform.

GCP labels discovery

GCP labels are modeled as tag attributes.

Troubleshooting

An API service does not have any resources

When running a GCP cloud scan, BMC Helix Discovery shows the following:

API <service_name> does not have any resources

This error occurs when BMC Helix Discovery attempts to obtain data from a service not containing any resources. However, it is expected and does not mean any misconfiguration.

Timeout error while scanning on a virtual machine

The timeout error might occur during a scan of all Google regions when IPv6 is enabled on a VM machine or from AWS Outposts, but IPv6 addresses are not working in your network.

  1. Check if IPv6 is enabled by executing the following command: 
ifconfig lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host>

      2. Check if IPv6 is working by executing the following commands:

[root@centos ~]# ping6 accounts.google.com PING accounts.google.com(muc11s02-in-x0d.1e100.net (2a00:1450:4016:801::200d)) 56 data bytes 64 bytes from muc11s02-in-x0d.1e100.net (2a00:1450:4016:801::200d): icmp_seq=1 ttl=55 time=7.31 ms
[root@centos ~]# ping6 www.googleapis.com PING www.googleapis.com(fra16s14-in-x0a.1e100.net (2a00:1450:4001:81a::200a)) 56 data bytes 64 bytes from fra16s14-in-x0a.1e100.net (2a00:1450:4001:81a::200a): icmp_seq=1 ttl=58 time=0.848 ms

     3. If IPv6 is enabled and active, you should disable it by executing the following commands:

sysctl -w net.ipv6.conf.all.disable_ipv6=1 sysctl -w net.ipv6.conf.default.disable_ipv6=1

You can also try using the PowerShell tool to disable the IPv6 for scanning from AWS Outposts. To do so, perform the following steps:

  1. Open the PowerShell as administrator.
  2. Execute the following command to get all the network adapter names with IPv6 enabled:
Get-NetAdapterBinding -ComponentID ms_tcpip6

      3. Disable IPv6 on a specific network adapter by executing the following command.

Disable-NetAdapterBinding -Name "NetAdapterName" -ComponentID ms_tcpip6 #Replace "NetAdapterName" with the actual network adapter name that you got with the earlier command.

       4. (Optional) To turn off IPv6 on all network adapters, execute the following PowerShell command:

Disable-NetAdapterBinding -Name "*" -ComponentID ms_tcpip6

       5. Close the PowerShell window.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*