GCP: Enable VPC Flow Logs
To enable GCP VPC flow logs, follow the below steps.
Procedure
Step 1 | In the GCP console, navigate to VPC network | ||
Step 2 | to enable the VPC flow log, select the subnet. | ||
Step 3 | Ensure that flow logs is turned On. If it is off, click the Editoption and turn flow logs on. | ||
Step 4 | Turn on flow log on all subnets where you want to enable flow log. | ||
Step 5 | Navigate to Cloud Storage section and create a storage bucket. You can leave everything as default when creating storage bucket.
| ||
Step 6 | Navigate to the Logs Route section. | ||
Step 7 | Click Create Sink. | ||
Step 8 | Enter a name for the sink. | ||
Step 9 | Select Cloud Storage bucket for sink service. | ||
Step 10 | Select the cloud storage bucket that was created above. | ||
Step 11 | In the Choose logs to include in sink section, enter this string: If you are sharing cloud storage bucket, you only need to perform the remaning steps of this procedure once. | ||
Step 12 | Click Create Sink. | ||
Step 13 | Navigate to . | ||
Step 14 | Create one custom role with this permission: | ||
Step 15 | Create one custom role with following permission: | ||
Step 16 | Add both custom roles to the service account created for Multicloud Defense Controller. When adding the second custom role, enter the following condition: | ||
Step 17 | Navigate to Pub/Subs. | ||
Step 18 | Click Create Topic. | ||
Step 19 | Provide a Topic name and click Create. | ||
Step 20 | Click Subscriptions. A subscription is created for the topic created in step 18. | ||
Step 21 | Edit the subscription. | ||
Step 22 | Change the Delivery type to Push. | ||
Step 23 | Enter this as the endpoint URL: Multicloud Defense autmoatically assigns the tenant name. To see tenant name, navigate to Multicloud Defense Controller and click on your username. | ||
Step 24 | Click Update. | ||
Step 25 | Open a Google cloud shell and execute the following command: |