Preparation
Pre-deployment checklist for GCP Brain install, including connectivity, SSH keys, sizing, and required service accounts and roles.
Connectivity / Firewall Requirements
The Vectra AI Platform uses TCP/UDP ports for different communication purposes. Many features and integrations are optional are not required for initial deployment of a GCP Brain. Additional guidance is in the Respond UX deployment guide or Quadrant UX deployment guide. For full detail on all possible firewall rules that might be required in your environment please see the next section of this guide covering firewall requirements.
DNS resolution is provided by GCP by default. You do not need to change DNS servers for GCP unless you want to use something other than GCP provided defaults.
Vectra does not create firewall rules in GCP for your deployment. If an external IP or Cloud NAT is required to reach the Vectra Cloud from where your Brain was deployed, you must configure this separately.
SSH Key Pair
An RSA SSH key pair will need to be created, or reuse an existing pair, for the Brain to allow an administrator to login to the CLI as the vectra user. These can be generated using any standard tool. Google has some options documented in Creating an SSH key.
The public key will need to be copied for later use during deployment so that it can be assigned to the Brain. After the Brain is deployed, you can login to the Brain CLI via SSH:
You may need to make the key readable to you using a command such as:
chmod 400 vectra.pem
Example login command:
ssh -i <private key path> vectra@BrainHostnameOrIP
Brain Sizing
The Vectra Brain for GCP is currently available in four sizes:
VM Type
CPU Cores
Memory
Disk
Interfaces
Throughput
n2-highmem-16
16
128 GB
1 TB
1 (MGT)
~ 5 Gbps
n2-highmem-32
32
256 GB
1 TB
1 (MGT)
~ 15 Gbps
n2-highmem-64
64
512 GB
1.2 TB
1 (MGT)
~ 50 Gbps
n2-highmem-96
96
768 GB
4 TB
1 (MGT)
~ 85 Gbps
Gathering Information Prior to Deployment
Provisioning Token – Allows the Brain to register with Vectra for integrity checks and subsequent updates.
This will be provided by Vectra in the welcome email.
Please note that provisioning tokens expire after 14 days. Vectra can provide a new one if needed.
SSH Key – The public key you created in the above section. You may reuse any existing key.
Project – The GCP Project ID (not the project name or project number).
This can be seen in the GCP console dashboard for your project.
Brain Service Account – A service account which will be used by the Brain to retrieve identity tokens that Vectra's provisioning service will use to validate the identity of the VM during every boot cycle of the Brain.
This service account does not need any specific IAM permissions to retrieve the required identity tokens. If desired, you can use the same service account that is required for GCP HostID integration which requires only the Compute Viewer permission.
Instructions to create that service account are included in Creating GCP service accounts.
For Brain deployment, only the name of the service account is needed.
Infrastructure Manager Service Account – Used by the GCP Infrastructure Manager to create your resources during initial deployment.
This service account needs the Cloud Infrastructure Manager Agent and Compute Admin roles and requires the ability to use the Brain service account (Service Account User role on the Brain service account).
Instructions to create this service account are included in Creating GCP service accounts.
HostID Service Account - This service account enables GCP HostID integration and is used by the Brain to query GCP to gather additional information about hosts running in GCP. This information contributes to Vectra’s automated Host identification (HostID) and adds information to the Host details screen.
This integration is technically optional, but is best practice to configure.
See Creating GCP service accounts for details on creating this account.
Region – The GCP region in which to deploy.
Example:
us-east4
Zone – The GCP zone is which to deploy.
Example:
us-east4-a
Size – Size of Brain VM to deploy.
Options are currently
n2-highmem-xx(xx = 16, 32, 64, or 96). See Brain Sizing above for details.
Brain Image – GCP identifier for the Brain image to be used to build the VM.
This will be provided by Vectra in the welcome email. ONLY use what is provided in welcome email.
Example:
projects/vectra-shared-images/global/images/vectra-gcp-brain-8-7
Subnetwork – selfLink of GCP subnetwork to provision the management (MGT) interface into.
Example:
projects/PROJ/regions/REG/subnetworks/SUBNET
Retrieving selfLink for GCP Management Subnetwork
The selfLink can be retrieved from the GCP Console GUI by selecting your VPC network, clicking on SUBNETS, selecting your subnet, then clicking on EQUIVALENT REST and copying the selflink.
Copy the highlighted portion as seen in the example below (do not include the quote marks)
The selfLink can also be retrieved via the GCP CLI using the
gcloud compute networks describecommand:Use the VPC Network name as the argument for the command.
Find your subnetwork in the output near the bottom and copy only the portion beginning with
projects/...In our example below , this would be:
projects/example/regions/us-east4/subnetworks/mgt
Creating GCP Service Accounts
GCP service accounts are required for several parts of the deployment process:
Brain Service Account - Used by the Brain to retrieve identity tokens that Vectra's provisioning service will use to validate the identity of the VM during every boot cycle of the Brain.
Infrastructure Manager Service Account – Used by the GCP Infrastructure Manager to create your resources during the initial Brain image deployment.
This Infrastructure Manager Service Account should typically be different from the service account you use for the Brain and HostID, as the Brain service account and HostID service account do not need the Infrastructure Manager Agent or Compute Admin roles which are more privileged.
This service account needs the Cloud Infrastructure Manager Agent and Compute Admin roles.
This service account also requires the Service Account User role on the Brain service account.
This allows the Infrastructure Manager service account to use the Brain service account.
HostID Service Account - Used by the Brain to query GCP to gather additional information about hosts running in GCP. This information contributes to Vectra’s automated Host identification (Host ID) and adds information to the Host details screen.
Many customers will choose to use the same service account for both Brain retrieving identity tokens and for the HostID integration. Feel free to create separate service accounts if desired.
For the Brain Service Account:
This service account does not need any specific IAM permissions to retrieve the required identity tokens.
For the HostID Service Account used to gather naming artifacts used with Vectra's automated HostID:
This account requires the Compute Viewer permission.
Please Note:
If your organization is organized in a manner requiring more than one service account for your Vectra GCP deployment, multiple sets of credentials can be added to your Vectra configuration for the HostID integration.
For the HostID integration, if your monitoring needs span multiple projects, Vectra requires a service account per project. Existing service accounts can be re-used, or you may add new ones specific to this use case.
Resources
Basic Steps
After signing into the GCP console, navigate to IAM and Admin → Service Accounts and click + CREATE SERVICE ACCOUNT.
Give the account a name and optionally a description and then click CREATE AND CONTINUE.
In the below example, we are creating a service account for the HostID service account used by the Brain to retrieve artifacts that help with Vectra's automated HostID. When creating other service accounts, choose the appropriate role for the service account you are creating.
Choose a role that has read access to the compute v1 endpoints on GCP API to list zones, instances, and networks and click CONTINUE. The predefined Compute Viewer role provides the required permissions:
Optionally grant users access to the service account and then click DONE.
Now select your newly created service account and navigate to the KEYS tab, click on ADD KEY, and then Create new key.
Select JSON format and click CREATE.
This key will download to your computer when created.
Please note:
Save the key for later use.
On the DETAILS tab for your service account, also make note of the Unique ID for later use.
Infrastructure Manager Service Account
Creating the Infrastructure Manager Service Account
Follow the same basic steps as above but make sure you grant the following roles to this service account:
Cloud Infrastructure Manager Agent
Compute Admin
Under the Principals with Access tab, grant your user the Service Account User role on the service.
Granting Permission to Use the Brain Service Account to the Infrastructure Manager Service Account
On the Service Accounts page, select the service account you previously created for the Brain service account.
Under the Principals with Access tab, grant the Infra Manager service account the Service Account User role on the Brain service account.
Last updated
Was this helpful?