GCP Overview

GCP Project and GCP Folders

Multicloud Defense currently supports both GCP projects and GCP folders although these components are supported separately. Note the following limitations and exceptions for both of these options.

A GCP project has to potential to contain GCP resources like virtual machines, storage buckets, databases, and more. It can be used to create, enable, and use all Google Cloud services.

  • Projects can be onbarded with terraform, manual onboarding, and scripted onboarding.

  • Projects are ideal for environments that require orchestration, including discovery and investigation.

  • You can interact with each project indvidually through the Multicloud Defense dashboard.

As of Version 23.10 you can connect a GCP folder with terraform. A GCP folder contains projects, other folders, or a combination of both. Organization resources can use folders to group projects under the organization resource node in a hierarchy.

  • Folders that do not have the roles/compute.admin permission enabled are considered empty and are not used.

  • Projects associated with onboarded folders are used for asset and traffic discovery only.

  • Projects associated with onboarded folders do not accommodate orchestrating service VPC or gateway creation.

  • Permissions made to folders from the GCP console must be made at the folder level. As such, Multicloud Defense actions are also made at the folder level.

If you want to onboard a GCP folder, see Terraform repository.

Overview Procedure

The following is an overview of how to connect your GCP project. An shell script is provided by Multicloud Defense and facilitates an easy connective process as part of a wizard. The script automates the following steps so you don't have to:

  1. Create two service accounts.

  2. Enable the following APIs (Compute Engine, Secret Manager).

  3. Create the two following VPCs (management, datapath).

  4. Create firewall rules to allow traffic to the Multicloud Defense Gateway (app traffic) in the datapath VPC.

  5. Create firewall rules to allow management traffic from Multicloud Defense Gateway to the Multicloud Defense Controller in the management VPC.

If you find that the script does not work, or if you need to manually change your settings, these actions can be executed using the GCP cloud console web UI, or using the gcloud CLI. See the alternative method of connecting your project here.