GCP Overview

GCP Project and GCP Folders

Multicloud Defense currently supports both GCP projects and GCP folders although these components are supported separately. Note the following limitations and exceptions for both of these options.

A GCP project has the potential to contain GCP resources like virtual machines, storage buckets, databases, and more. It can be used to create, enable, and use all Google Cloud services.

  • Projects can be onboarded with Terraform, manual onboarding, and scripted onboarding.

  • Projects are ideal for environments requiring orchestration, including discovery and investigation.

  • You can interact with each project individually through the Multicloud Defense dashboard.

As of Version 23.10, you can connect a GCP folder with Terraform. A GCP folder contains projects, other folders, or a combination of both. Organization resources can use folders to group projects under the organization resource node in a hierarchy.

  • Consider folders without the roles/compute.admin permission enabled as empty, and do not use them.

  • Projects associated with onboarded folders are used for asset and traffic discovery only.

  • Projects associated with onboarded folders do not accommodate orchestrating service VPC or gateway creation.

  • Permissions made to folders from the GCP console must be made at the folder level. Therefore, perform, Multicloud Defense actions at the folder level.

If you want to onboard a GCP folder, see refer to the Terraform repository.

Overview Procedure

The following is an overview of how to connect your GCP project. An shell script is provided by Multicloud Defense and facilitates an easy connective process as part of a wizard. The script automates the following steps so you don't have to:

  1. Create two service accounts.

  2. Enable the following APIs (Compute Engine, Secret Manager).

  3. Create the two following VPCs (management, datapath).

  4. Create firewall rules to allow traffic to the Multicloud Defense Gateway (app traffic) in the datapath VPC.

  5. Create firewall rules to allow management traffic from Multicloud Defense Gateway to the Multicloud Defense Controller in the management VPC.

If you find that the script does not work, or if you need to manually change your settings, these actions can be executed using the GCP cloud console web UI, or using the gcloud CLI. See the alternative method of connecting your project here.