A vDiscovery job retrieves information about virtual entities in cloud environments that are managed through a cloud management platform, (CMP) such as GCP. The current vDiscovery feature supports tenants, networks, and compute VMs only. It does not support data that is retrieved from load balancer networks, load balancer VMs, Kubernetes platform VMs, application gateways, service VMs, SQL VMs, or any other VMs that are created by cloud services, such as Kubernetes service or analytics service, where the IPAM is handled by the respective orchestration engines of the cloud provider.
Note
You can use the values that appear by default or extend the values as per your requirements. Using less than the recommended resources can cause a reduction in performance.
You must first select a member to run the vDiscovery job. To ensure that the job is executed properly, verify the connection between the discovering member and the discovered endpoint. Infoblox vDiscovery for GCP supports the resource manager model. You can discover tenants, subnets, VPCs, and workload VMs through Infoblox vDiscovery for GCP. When you configure vDiscovery jobs, you can enable the Infoblox NIOS appliance to automatically create DNS records for discovered IP addresses of VM instances that are served by the NIOS appliance. You can configure the appliance to add DNS records for specific DNS views associated with the network view defined for public and private IP addresses of VM instances served by the appliance. For information on how to perform GCP vDiscovery, see the Selecting the Endpoint Server section in the Configuring vDiscovery Jobs topic in Infoblox NIOS documentation.
For vNIOS instances running on NIOS 9.0.4 or later, you can configure a vDiscovery job to discover and synchronize data from either a single GCP project like in the prior versions of NIOS, or from multiple GCP projects linked to a host project. You can configure a vDiscovery job to discover all projects in a folder or selected projects located in one or more folders.
According to the projects that a vDiscovery job must discover, perform one of the following:
To discover a standalone project, create the service account on that project.
To discover multiple projects located within a folder, create the service account in one of the projects that must be considered as the host project, and then grant appropriate access to the folder.
To discover selected projects, create the service account on one of the projects that must be considered as the host project, and then grant appropriate access on each of the projects that must be discovered.
Note
A multi-project vDiscovery job enabled with Discover Projects option to discover all projects within a folder, discovers projects located within the folder only. Projects located in the subfolders are not discovered.
For limitations related to vDiscovery, see Limitations of vNIOS for GCP.
Prerequisites
Before you configure a vDiscovery job to discover data from GCP projects, complete the following prerequisites:
In the Google Cloud console:
Set up your GCP organization with required the hierarchy of folders, GCP projects, and resources.
Enable the Cloud Resource Manager API and the Compute Engine API. NIOS needs to call on these APIs to run a vDiscovery job.
Set up a service account in the required project and download the service account file. For more information, see the Creating a Service Account section.
In NIOS:
Configure a DNS resolver. For more information, refer to the Enabling DNS Resolution topic in the Infoblox NIOS Documentation.
Only for NIOS version 9.0.4 and later: Ensure that the Cloud Sync service is running on the Grid member that performs the vDiscovery job. For more information, see the Starting and Stopping the Cloud Sync Service section.
Creating a GCP Service Account
Create a GCP service account with Compute Viewer permission in the required GCP project.
To create a service account, complete the following steps:
Sign in to http://console.cloud.google.com.
In the Navigation menu, click IAM & Admin -> Service Accounts.
Do one of the following:
If a project is not selected:
Click SELECT PROJECT.
In the Select a resource dialog box, search for and click the name of the project in which you want to create the service account.
If a project is already selected, then click CREATE SERVICE ACCOUNT.
In the Create service account panel, complete the following in the Service account details section:
Service account name: Enter a name for the service account.
Service account ID: The service account name you typed appears as the account ID. You may edit this value.
Click CREATE AND CONTINUE.
In the Grant this service account access to project (Optional) section, from the Role drop-down list, choose and assign the following role for vDiscovery:
Compute Engine -> Compute Viewer
Click DONE.
The service account is created.Click the name of the service account that you created to view its details.
Copy or download the following information:
If you created the service account in a host project, then copy the email ID required to configure the IAM (Identity and Access Management) either in the folder in which projects to be discovered are located or in the project that must be discovered.
Create a private key that is required to establish a connection between Infoblox NIOS and GCP, and download it:
On the Keys tab, click ADD KEY -> Create New Key.
Select JSON as the Key type.
Click CREATE to create the private key and download the service account (JSON) file that contains the key to the local disk.
You will require this file when configuring a vDiscovery job in NIOS. For more information, see Configuring vDiscovery Jobs in the Infoblox NIOS Documentation.
Starting and Stopping the Cloud Sync Service
In NIOS 9.0.4 and later, to execute a vDiscovery job configured on a Grid member in Infoblox NIOS, the Cloud Sync service must be running on the Grid member. If the member is not assigned with any vDiscovery job, the service is automatically enabled when you create a vDiscovery job on the member.
Before or after an upgrade to NIOS 9.0.4 or later, if you manually stopped the Cloud Sync service on a member for any reason, you must manually start the service for the dependent tasks such as DNS sync and/or vDiscovery to run.
To start the service:
From the Grid tab, select Grid Manager tab > Services tab.
On the service bar, click the Cloud Sync service.
Select the member on which the Cloud Sync service must be enabled.
Expand the Toolbar and click Start.
The service takes a few minutes to start. Before running a vDiscovery job, wait for the service status to show Cloud Sync service is healthy.
To stop the Cloud Sync service on a member, select the member checkbox, and then click Stop in the Toolbar.
Setting up GCP for Multi-Project vDiscovery
You can set up the vDiscovery feature to discover data across multiple GCP projects.
To set up, complete the following steps:
Sign in to Google Cloud console.
Create a service account with Compute Viewer role in one of the projects located in the folder. For steps, see Creating a GCP Service Account.
The project in which you create the service account is considered as the host project.Configure GCP for multi-project vDiscovery using one of the following:
To enable a vDiscovery job to discover and synchronize data from all projects located in a folder, grant the following access to the folder:
Note: In NIOS, enable the Multiple Projects Sync -> Discover Projects option for the vDiscovery job.
For more information, see Configuring vDiscovery Jobs in the Infoblox NIOS Documentation.Access the folder that has the projects to discover.
In the IAM & Admin panel, click IAM.
Click GRANT ACCESS.
In the Grant access to <folder_name> dialog box, in the New Principals field, type the email ID of the service account.
In the Role drop-down list, choose and assign the following role permissions to the folder:
Compute Engine -> Compute Viewer
Folder -> Viewer
Click Done.
To enable a vDiscovery job to discover and synchronize data from selected projects, grant the following access to each of the projects:
Note: In NIOS, you must enable the Multiple Projects Sync -> Add or Upload Child Projects option for the vDiscovery job.
For more information, see Configuring vDiscovery Jobs in the Infoblox NIOS Documentation.Access a project that must be discovered.
In the IAM & Admin panel, click IAM.
Click GRANT ACCESS.
In the Grant access to <project_name> dialog box, in the New Principals field, add the service account ID of the account you created.
In the Role drop-down list, choose and assign the following role permission to the project:
Compute Engine -> Compute Viewer
Click Done.
Use the service account file to configure a vDiscovery job in NIOS.
Discovering VMs Running in Shared VPCs
Starting from NIOS 9.0.4, to discover VMs running in shared VPCs, you must ensure the host project is discovered first followed by the service projects. This can be achieved by one of the following methods in NIOS:
Create separate vDiscovery jobs for the host and service projects.
Create a vDiscovery job by enabling Multi Projects Sync > Discover Projects. When Discover Projects is enabled, by default, the host project is discovered first and then the service projects.
If you enable Multi Projects Sync > Add or Upload Child Projects, the discovery job fails to fetch the shared VPCs and VMs on the first run, but fetches data successfully on subsequent runs. For steps to configure a vDiscovery job, see the Configuring vDiscovery Jobs topic in the Infoblox NIOS Documentation.
The shared VPC networks in which VMs are discovered are tagged as cloud shared in NIOS. To view the list of such networks in NIOS Grid Manager, click Cloud tab > Networks tab, the Cloud Shared column is tagged with Yes for each of these networks.