Document toolboxDocument toolbox

Performing GCP vDiscovery

Owned by Jyothi KP
Last updated: Sept 05, 2024
7 min read

A vDiscovery job retrieves information about virtual entities in cloud environments that are managed through a cloud management platform, (CMP) such as GCP. The current vDiscovery feature supports tenants, networks, and compute VMs only. It does not support data that is retrieved from load balancer networks, load balancer VMs, Kubernetes platform VMs, application gateways, service VMs, SQL VMs, or any other VMs that are created by cloud services, such as Kubernetes service or analytics service, where the IPAM is handled by the respective orchestration engines of the cloud provider.

Note

You can use the values that appear by default or extend the values as per your requirements. Using less than the recommended resources can cause a reduction in performance.

You must first select a member to run the vDiscovery job. To ensure that the job is executed properly, verify the connection between the discovering member and the discovered endpoint. Infoblox vDiscovery for GCP supports the resource manager model. You can discover tenants, subnets, VPCs, and workload VMs through Infoblox vDiscovery for GCP. When you configure vDiscovery jobs, you can enable the Infoblox NIOS appliance to automatically create DNS records for discovered IP addresses of VM instances that are served by the NIOS appliance. You can configure the appliance to add DNS records for specific DNS views associated with the network view defined for public and private IP addresses of VM instances served by the appliance. For information on how to perform GCP vDiscovery, see the Selecting the Endpoint Server section in the Configuring vDiscovery Jobs topic in Infoblox NIOS documentation.

For vNIOS instances running on NIOS 9.0.4 or later, you can configure a vDiscovery job to discover and synchronize data from either a single GCP project like in the prior versions of NIOS, or from multiple GCP projects linked to a parent project. You can configure a vDiscovery job to discover all projects in a folder or selected projects located in one or more folders.

According to the projects that a vDiscovery job must discover, perform one of the following:

  • To discover a standalone project, create the service account on that project.

  • To discover multiple projects located within a folder, create the service account in one of the projects that is designated as the parent project, and then grant appropriate access to the folder.

  • To discover selected projects, create the service account in one of the projects that is designated as the parent project, and then grant appropriate access on each of the projects that must be discovered.

Note

  • A multi-project vDiscovery job enabled with Discover Projects option to discover all projects within a folder, discovers projects located within the folder only. Projects located in the subfolders are not discovered.

  • For limitations related to vDiscovery, see Limitations of vNIOS for GCP.

Prerequisites

Before you configure a vDiscovery job to discover data from GCP projects, complete the following prerequisites:

  • In the Google Cloud console:

    • Set up your GCP organization with the required hierarchy of folders, GCP projects, and resources.

    • Enable the Cloud Resource Manager API and the Compute Engine API. NIOS needs to call on these APIs to run a vDiscovery job.

    • Set up a service account in the required project and download the service account file. For more information, see the Creating a Service Account section.

    • Enable multi-project synchronization in Google Cloud. For more information, see the Setting up GCP for Multi-Project vDiscovery section.

  • In NIOS:

Creating a GCP Service Account

Create a GCP service account in a GCP project and assign it with appropriate permissions as defined in this section. To synchronize data from a single project, create the service account in that project or to synchronize data from multiple projects, create the service account in the project designated as the parent project. You need to configure the service account credentials in NIOS for it to use the credentials to communicate with GCP.

Note that for shared VPCs, you must create the service account in the host project.

To create a service account, complete the following steps:

  1. Sign in to http://console.cloud.google.com.

  2. In the Navigation menu, click IAM & Admin -> Service Accounts.

  3. Do one of the following:

    1. If a project is not selected:

      1. Click SELECT PROJECT.

      2. In the Select a resource dialog box, search for and click the name of the project in which you want to create the service account.

    2. If a project is already selected, then click CREATE SERVICE ACCOUNT.

  4. In the Create service account panel, complete the following in the Service account details section:

    • Service account name: Enter a name for the service account.

    • Service account ID: The service account name you typed appears as the account ID. You may edit this value.

  5. Click CREATE AND CONTINUE.

  6. In the Grant this service account access to project (Optional) section, from the Role drop-down list, choose and assign the role:
    Compute Engine -> Compute Viewer.

    New_Service_Account2.png

  7. Click DONE.
    The service account is created.

  8. Click the name of the service account that you created to view its details.

  9. Copy or download the following information:

    1. If you created the service account in a parent project, then copy the email ID required to configure the IAM (Identity and Access Management) either in the folder in which projects to be discovered are located or in the project that must be discovered.

    2. Create a private key that is required to establish a connection between Infoblox NIOS and GCP, and download it:

      1. On the Keys tab, click ADD KEY -> Create New Key.

      2. Select JSON as the Key type.

      3. Click CREATE to create the private key and download the service account (JSON) file that contains the key to the local disk.
        You will require this file when configuring a vDiscovery job in NIOS. For more information, see Configuring vDiscovery Jobs in the Infoblox NIOS Documentation.

Starting and Stopping the Cloud Sync Service

In NIOS 9.0.4 and later, to execute a vDiscovery job configured on a Grid member in Infoblox NIOS, the Cloud Sync service must be running on the Grid member. If the member is not assigned with any vDiscovery job or a sync task, the service is automatically enabled when you create a vDiscovery job or a sync task (in NIOS 9.0.5 or later) on the member.

Before or after an upgrade to NIOS 9.0.4 or later, if you manually stopped the Cloud Sync service on a member for any reason, you must manually start the service for the dependent tasks such as DNS sync and/or vDiscovery to run.

Setting up GCP for Multi-Project vDiscovery

To import the vDiscovery data (in NIOS 9.0.4 or later) or Google Cloud DNS data (in NIOS 9.0.5 or later) from multiple projects in a GCP organization to NIOS, you must set up the GCP environment as discussed below.

A GCP organization is a resource that forms the root node in the hierarchy of GCP resources that include folders, projects, and other resources. The IAM and access control settings that you define at the parent level in a hierarchy, applies to all child resources of that parent. The IAM and access control settings can also be configured in individual projects.

To set up multi-project discovery and synchronization of discovered data, define a service account in a GCP project designated as the parent, and then grant the service account access to a folder or to individual projects depending on whether you want the data synchronized from all projects within a folder or selected projects respectively.

According to the functionality that you want to set up the multi-project synchronization for, complete the prerequisites for vDiscovery or Cloud DNS synchronization.

To set up the GCP environment, complete the following steps:

  1. Sign in to Google Cloud console.

  2. Create a service account with required role in one of the projects designated as the parent project. For steps, see the prerequisites section.

  3. Configure GCP for multi-project discovery using one of the following methods according to your requirement:

    • To enable a vDiscovery job or a sync task to discover and synchronize data from all projects located in a folder, grant the following access to the folder:
      Note:
      In NIOS, to enable the discovery of all GCP projects within a folder, you must enable the Multiple Projects Sync -> Discover Projects option for the vDiscovery job or the sync group. For more information, see Configuring vDiscovery Jobs in the Infoblox NIOS Documentation or Configuring Google Cloud DNS Synchronization in NIOS respectively.

      1. Access the folder that has the projects to discover.

      2. In the IAM & Admin panel, click IAM.

      3. Click GRANT ACCESS.

      4. In the Grant access to <folder_name> dialog box, type the email ID of the service account in the New Principals field.

      5. In the Role drop-down list, choose and assign the following role permissions to the folder:

        • For vDiscovery:

          • Compute Engine -> Compute Viewer

          • Folder -> Viewer

            Folder_IAM.png

        • For Cloud DNS Synchronization:

          • DNS -> Reader

          • Folder -> Viewer

      6. Click Done.

    • To enable a sync task to discover and synchronize data from selected projects, grant the following access to each of the projects that must be discovered:
      Note:
      In NIOS, to enable the discovery of selected GCP projects, you must enable the Multiple Projects Sync -> Add or Upload Child Projects option for the vDiscovery job or the sync group.
      For more information, see Configuring vDiscovery Jobs in the Infoblox NIOS Documentation or Configuring Google Cloud DNS Synchronization in NIOS respectively.

      1. Access a project that must be discovered.

      2. In the IAM & Admin panel, click IAM.

      3. Click GRANT ACCESS.

      4. In the Grant access to <project_name> dialog box, in the New Principals field, add the service account ID of the account you created.

      5. In the Role drop-down list, choose and assign the following role permission to the project:

        • For vDiscovery: Compute Engine -> Compute Viewer

        • For DNS Synchronization: DNS -> Reader

      6. Click Done.

Discovering VMs Running in Shared VPCs

Starting from NIOS 9.0.4, to discover VMs running in shared VPCs, you must ensure the host project is discovered first followed by the service projects. This can be achieved by one of the following methods in NIOS:

  • Create separate vDiscovery jobs for the host and service projects.

  • Create a vDiscovery job by enabling Multi Projects Sync > Discover Projects. When Discover Projects is enabled, by default, the host project is discovered first and then the service projects.
    If you enable Multi Projects Sync > Add or Upload Child Projects, the discovery job fails to fetch the shared VPCs and VMs on the first run, but fetches data successfully on subsequent runs. For steps to configure a vDiscovery job, see the Configuring vDiscovery Jobs topic in the Infoblox NIOS Documentation.

The shared VPC networks in which VMs are discovered are tagged as cloud shared in NIOS. To view the list of such networks in NIOS Grid Manager, click Cloud tab > Networks tab, the Cloud Shared column is tagged with Yes for each of these networks.

Â