Connect to GCP Projects

Appranix requires a way to be authenticated and authorized to connect to the customer GCP account to provide resilience for their cloud application environment.

Pre-requisites

For onboarding the GCP project in Appranix, a service account with few roles and permissions in GCP should be enabled. The onboarding user requires the listed permissions in the GCP project.

  • Project IAM Admin
  • Service Usage Admin

To add a new GCP Cloud Connection in Appranix, follow the below steps:

  1. Navigate to "Cloud Connections", click "Add Cloud Connection," and choose "GCP Cloud"
  2. Fill in the Name and Description for the connection
  3. Enter the GCP project ID and select the operational regions where your protection and recovery operations need to be done
  4. Enable the services required
  5. Execute the IAM permissions in the GCP cloud console
  6. Acknowledge the execution in Appranix
  7. Register the cloud and wait for the progress of the connection to see the discovered resources

If you have technical challenges in the above steps, you may have problems with one or more of the following items.

  1. Permission to add a role and grant permissions via GCP IAM
  2. There could be a possibility of error in the execution of commands, which will help you to identify the cause
  3. The newly created role is removed or blocked before the discovery process
  4. There is a network outage or GCP response delay that causes the discovery to delay longer due to Exponential Backoff

GCP IAM Permissions

Operation Appranix GCP Role Name
Discovery Appranix ARS Discovery Assets Default Access
Appranix ARS Discovery Compute Default Access
Appranix ARS Discovery Network Services Default Access
Appranix ARS Discovery CloudSQL Default Access
Protection Appranix ARS Protection Compute Default Access
Appranix ARS Protection CloudSQL Default Access
Appranix ARS Retention Compute Default Access
Recovery Appranix ARS Recovery Deployment Manager Default Access
Appranix ARS Recovery Compute Default Access
Appranix ARS Recovery CloudSQL Default Access
Appranix ARS Recovery Network Services Default Access
Reset Appranix ARS Reset Deployment Default Access
Appranix ARS Reset Compute Default Access
Appranix ARS Reset Network Services Default Access
Appranix ARS Reset CloudSQL Default Access

NOTE: When a particular role's permission is revoked manually in the GCP console, the set of operations associated with that role will fail.

Appranix ARS Discovery Assets Default Access
  permissions:
    - cloudasset.assets.exportResource
    - storage.buckets.get
Appranix ARS Discovery Compute Default Access
  permissions:
    - compute.disks.get
    - compute.disks.list
    - compute.zones.list
    - compute.regions.get
    - compute.instances.get
    - compute.instances.list
    - compute.diskTypes.get
    - compute.diskTypes.list
    - compute.disks.getIamPolicy
    - compute.disks.setIamPolicy
    - compute.backendServices.get
    - compute.machineImages.get
    - compute.machineTypes.get
    - compute.machineTypes.list
    - compute.targetHttpProxies.get
    - compute.targetPools.list
    - compute.instanceGroups.get
    - compute.regionBackendServices.get
Appranix ARS Discovery Network Services Default Access
  permissions:
    - compute.firewalls.list
    - compute.firewalls.get
    - compute.networks.get
    - compute.subnetworks.get
    - compute.forwardingRules.get
    - compute.globalForwardingRules.get
    - compute.urlMaps.get
Appranix ARS Discovery CloudSQL Default Access
  permissions:
    - cloudsql.instances.get
    - cloudsql.instances.list
Appranix ARS Protection Compute Default Access
  permissions:
    - compute.disks.createSnapshot
    - compute.disks.update
    - compute.disks.use
    - compute.machineImages.create
    - compute.snapshots.create
    - compute.snapshots.get
    - compute.snapshots.list
    - compute.snapshots.setLabels
Appranix ARS Protection CloudSQL Default Access
  permissions:
    - cloudsql.backupRuns.create
    - cloudsql.backupRuns.get
    - cloudsql.backupRuns.list
Appranix ARS Retention Compute Default Access
  permissions:
    - compute.snapshots.delete
Appranix ARS Retention CloudSQL Default Access
  permissions:
    - cloudsql.backupRuns.delete
Appranix ARS Recovery Deployment Manager Default Access
  permissions:
    - deploymentmanager.deployments.create
    - deploymentmanager.resources.get
    - deploymentmanager.resources.list
Appranix ARS Recovery Compute Default Access
  permissions:
    - compute.disks.create
    - compute.disks.get
    - compute.disks.list
    - compute.zones.list
    - compute.regions.get
    - compute.instances.get
    - compute.instances.list
    - compute.diskTypes.get
    - compute.diskTypes.list
    - compute.disks.getIamPolicy
    - compute.disks.setIamPolicy
    - compute.backendServices.get
    - compute.machineImages.get
    - compute.machineTypes.get
    - compute.machineTypes.list
    - compute.targetHttpProxies.get
    - compute.targetPools.list
    - compute.instanceGroups.get
    - compute.regionBackendServices.get
    - compute.instances.setMachineResources
    - compute.instances.setMachineType
Appranix ARS Recovery CloudSQL Default Access
  permissions:
    - cloudsql.instances.restoreBackup
    - cloudsql.instances.get
    - cloudsql.instances.list
Appranix ARS Recovery Network Services Default Access
  permissions:
    - compute.globalAddresses.get
    - compute.networks.get
Appranix ARS Reset Deployment Default Access
  permissions:
    - deploymentmanager.deployments.delete
Appranix ARS Reset Compute Default Access
  permissions:
    - compute.instanceGroups.update
    - compute.disks.delete
Appranix ARS Reset Network Services Default Access
  permissions:
    - deploymentmanager.deployments.delete
Appranix ARS Reset CloudSQL Default Access
  permissions:
    - deploymentmanager.deployments.delete

NOTE: This list of permissions may increase as Appranix adds more services for protection.

Need more help? Submit a ticket