Connect to GCP Projects

Connect to GCP Projects

Appranix requires a way to be authenticated and authorized to connect to the customer GCP account to provide resilience for their cloud application environment.

To add a new GCP Cloud Connection in Appranix, follow the below steps:

  1. Navigate to "Cloud Connections" and click "Add Cloud Connection"
  2. Fill in the Name and Description for the connection, choose GCP as the cloud provider
  3. Select your primary and recovery regions
  4. Enable the services required
  5. Submit to connect to the cloud and copy the commands to grant permission
  6. Execute the IAM permissions in the GCP cloud console
  7. Acknowledge the execution in Appranix
  8. Register the cloud and wait for the progress of the connection to see the discovered resources

If you have technical challenges in the above steps, you may have problems with one or more of the following items.

  1. Permission to add a role and grant permissions via GCP IAM
  2. There could be a possibility of error in the execution of commands, which will help you to identify the cause
  3. The newly created role is removed or blocked before the discovery process
  4. There is a network outage or GCP response delay that causes the discovery to delay longer due to Exponential Backoff

GCP IAM Permissions

Operation Appranix GCP Role Name
Discovery Appranix ARS Discovery Assets Default Access
Appranix ARS Discovery Compute Default Access
Appranix ARS Discovery Network Services Default Access
Appranix ARS Discovery CloudSQL Default Access
Protection Appranix ARS Protection Compute Default Access
Appranix ARS Protection CloudSQL Default Access
Appranix ARS Retention Compute Default Access
Recovery Appranix ARS Recovery Deployment Manager Default Access
Appranix ARS Recovery Compute Default Access
Appranix ARS Recovery CloudSQL Default Access
Appranix ARS Recovery Network Services Default Access
Reset Appranix ARS Reset Deployment Default Access
Appranix ARS Reset Compute Default Access
Appranix ARS Reset Network Services Default Access
Appranix ARS Reset CloudSQL Default Access

NOTE: When a particular role's permission is revoked manually in the GCP console, the set of operations associated with that role will fail.

Appranix ARS Discovery Assets Default Access
  permissions:
    - cloudasset.assets.exportResource
    - storage.buckets.get
Appranix ARS Discovery Compute Default Access
  permissions:
    - compute.disks.get
    - compute.disks.list
    - compute.zones.list
    - compute.regions.get
    - compute.instances.get
    - compute.instances.list
    - compute.diskTypes.get
    - compute.diskTypes.list
    - compute.disks.getIamPolicy
    - compute.disks.setIamPolicy
    - compute.backendServices.get
    - compute.machineImages.get
    - compute.machineTypes.get
    - compute.machineTypes.list
    - compute.targetHttpProxies.get
    - compute.targetPools.list
    - compute.instanceGroups.get
    - compute.regionBackendServices.get
Appranix ARS Discovery Network Services Default Access
  permissions:
    - compute.firewalls.list
    - compute.firewalls.get
    - compute.networks.get
    - compute.subnetworks.get
    - compute.forwardingRules.get
    - compute.globalForwardingRules.get
    - compute.urlMaps.get
Appranix ARS Discovery CloudSQL Default Access
  permissions:
    - cloudsql.instances.get
    - cloudsql.instances.list
Appranix ARS Protection Compute Default Access
  permissions:
    - compute.disks.createSnapshot
    - compute.disks.update
    - compute.disks.use
    - compute.machineImages.create
    - compute.snapshots.create
    - compute.snapshots.get
    - compute.snapshots.list
    - compute.snapshots.setLabels
Appranix ARS Protection CloudSQL Default Access
  permissions:
    - cloudsql.backupRuns.create
    - cloudsql.backupRuns.get
    - cloudsql.backupRuns.list
Appranix ARS Retention Compute Default Access
  permissions:
    - compute.snapshots.delete
Appranix ARS Retention CloudSQL Default Access
  permissions:
    - cloudsql.backupRuns.delete
Appranix ARS Recovery Deployment Manager Default Access
  permissions:
    - deploymentmanager.deployments.create
    - deploymentmanager.resources.get
    - deploymentmanager.resources.list
Appranix ARS Recovery Compute Default Access
  permissions:
    - compute.disks.create
    - compute.disks.get
    - compute.disks.list
    - compute.zones.list
    - compute.regions.get
    - compute.instances.get
    - compute.instances.list
    - compute.diskTypes.get
    - compute.diskTypes.list
    - compute.disks.getIamPolicy
    - compute.disks.setIamPolicy
    - compute.backendServices.get
    - compute.machineImages.get
    - compute.machineTypes.get
    - compute.machineTypes.list
    - compute.targetHttpProxies.get
    - compute.targetPools.list
    - compute.instanceGroups.get
    - compute.regionBackendServices.get
    - compute.instances.setMachineResources
    - compute.instances.setMachineType
Appranix ARS Recovery CloudSQL Default Access
  permissions:
    - cloudsql.instances.restoreBackup
    - cloudsql.instances.get
    - cloudsql.instances.list
Appranix ARS Recovery Network Services Default Access
  permissions:
    - compute.globalAddresses.get
    - compute.networks.get
Appranix ARS Reset Deployment Default Access
  permissions:
    - deploymentmanager.deployments.delete
Appranix ARS Reset Compute Default Access
  permissions:
    - compute.instanceGroups.update
    - compute.disks.delete
Appranix ARS Reset Network Services Default Access
  permissions:
    - deploymentmanager.deployments.delete
Appranix ARS Reset CloudSQL Default Access
  permissions:
    - deploymentmanager.deployments.delete

NOTE: This list of permissions may increase as Appranix adds more services for protection.