Connect to GCP Projects
Appranix requires a way to be authenticated and authorized to connect to the customer GCP account to provide resilience for their cloud application environment.
Pre-requisites
For onboarding the GCP project in Appranix, a service account with few roles and permissions in GCP should be enabled. The onboarding user requires the listed permissions in the GCP project.
- Project IAM Admin
- Service Usage Admin
To add a new GCP Cloud Connection in Appranix, follow the below steps:
- Navigate to "Cloud Connections", click "Add Cloud Connection," and choose "GCP Cloud"
- Fill in the Name and Description for the connection
- Enter the GCP project ID and select the operational regions where your protection and recovery operations need to be done
- Enable the services required
- Execute the IAM permissions in the GCP cloud console
- Acknowledge the execution in Appranix
- Register the cloud and wait for the progress of the connection to see the discovered resources
If you have technical challenges in the above steps, you may have problems with one or more of the following items.
- Permission to add a role and grant permissions via GCP IAM
- There could be a possibility of error in the execution of commands, which will help you to identify the cause
- The newly created role is removed or blocked before the discovery process
- There is a network outage or GCP response delay that causes the discovery to delay longer due to Exponential Backoff
GCP IAM Permissions
NOTE: When a particular role's permission is revoked manually in the GCP console, the set of operations associated with that role will fail.
Appranix ARS Discovery Assets Default Access
permissions: - cloudasset.assets.exportResource - storage.buckets.get
Appranix ARS Discovery Compute Default Access
permissions: - compute.disks.get - compute.disks.list - compute.zones.list - compute.regions.get - compute.instances.get - compute.instances.list - compute.diskTypes.get - compute.diskTypes.list - compute.disks.getIamPolicy - compute.disks.setIamPolicy - compute.backendServices.get - compute.machineImages.get - compute.machineTypes.get - compute.machineTypes.list - compute.targetHttpProxies.get - compute.targetPools.list - compute.instanceGroups.get - compute.regionBackendServices.get
Appranix ARS Discovery Network Services Default Access
permissions: - compute.firewalls.list - compute.firewalls.get - compute.networks.get - compute.subnetworks.get - compute.forwardingRules.get - compute.globalForwardingRules.get - compute.urlMaps.get
Appranix ARS Discovery CloudSQL Default Access
permissions: - cloudsql.instances.get - cloudsql.instances.list
Appranix ARS Protection Compute Default Access
permissions: - compute.disks.createSnapshot - compute.disks.update - compute.disks.use - compute.machineImages.create - compute.snapshots.create - compute.snapshots.get - compute.snapshots.list - compute.snapshots.setLabels
Appranix ARS Protection CloudSQL Default Access
permissions: - cloudsql.backupRuns.create - cloudsql.backupRuns.get - cloudsql.backupRuns.list
Appranix ARS Retention Compute Default Access
permissions: - compute.snapshots.delete
Appranix ARS Retention CloudSQL Default Access
permissions: - cloudsql.backupRuns.delete
Appranix ARS Recovery Deployment Manager Default Access
permissions: - deploymentmanager.deployments.create - deploymentmanager.resources.get - deploymentmanager.resources.list
Appranix ARS Recovery Compute Default Access
permissions: - compute.disks.create - compute.disks.get - compute.disks.list - compute.zones.list - compute.regions.get - compute.instances.get - compute.instances.list - compute.diskTypes.get - compute.diskTypes.list - compute.disks.getIamPolicy - compute.disks.setIamPolicy - compute.backendServices.get - compute.machineImages.get - compute.machineTypes.get - compute.machineTypes.list - compute.targetHttpProxies.get - compute.targetPools.list - compute.instanceGroups.get - compute.regionBackendServices.get - compute.instances.setMachineResources - compute.instances.setMachineType
Appranix ARS Recovery CloudSQL Default Access
permissions: - cloudsql.instances.restoreBackup - cloudsql.instances.get - cloudsql.instances.list
Appranix ARS Recovery Network Services Default Access
permissions: - compute.globalAddresses.get - compute.networks.get
Appranix ARS Reset Deployment Default Access
permissions: - deploymentmanager.deployments.delete
Appranix ARS Reset Compute Default Access
permissions: - compute.instanceGroups.update - compute.disks.delete
Appranix ARS Reset Network Services Default Access
permissions: - deploymentmanager.deployments.delete
Appranix ARS Reset CloudSQL Default Access
permissions: - deploymentmanager.deployments.delete
NOTE: This list of permissions may increase as Appranix adds more services for protection.