BLACKSHIELD

Öffentlicher Leitfaden

Deploy Network Sensor on GCP

Stream live traffic using Packet Mirroring, deploy sensor VM with Terraform, and ingest findings via the managed SIEM connector. Zielgruppe: Platform engineers, GCP administrators, security engineers. Typische Einrichtungszeit: 10 minutes.

quickstart

Use this if

Stream live traffic using Packet Mirroring, deploy sensor VM with Terraform, and ingest findings via the managed SIEM connector.

Audience
Platform engineers, GCP administrators, security engineers
Typical time
10 minutes

Bevor Sie beginnen

  • You have a GCP project with production VMs running workloads.
  • You have created an ingestion API key in Settings → API Keys with Ingestion scope.
  • You have the gcloud CLI configured with appropriate permissions to create compute resources.

Fast path

Copy a working starter, run it in your environment, then come back here for the deeper rollout details.

Get the source bundle

Download the exact source files referenced on this page, or run the one-command installer to write them locally before following the deployment steps.

GCP network sensor Terraform source

Creates the GCP Terraform project under `deploy/gcp-network-sensor/` with the current platform API URL prefilled for packet mirroring-based network telemetry ingestion.

deploy/gcp-network-sensor/
bash
BLACKSHIELD_NETWORK_SENSOR_IMAGE=public.ecr.aws/blackshield-security/network-sensor:1.0.0 \
BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com \
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/gcp-network-sensor.sh)
cd deploy/gcp-network-sensor
Download source

Ausführen

gcp-packet-mirroring.sh

bash
#!/bin/bash
# Set up GCP Packet Mirroring

PROJECT_ID="my-project"

gcloud compute health-checks create tcp network-sensor-health \
  --port=8080 \
  --project="$PROJECT_ID"

Understand and customize

Use the guided steps below when you want to tailor the rollout, validate ownership, or expand the deployment safely.

Schritt 1

Configure Packet Mirroring

Set up packet mirroring policy to duplicate traffic from production VMs to the sensor instance.

  • Create a backend service with health check (TCP port 8080 or custom port).
  • Create a forwarding rule and internal load balancer as the packet mirroring target.
  • Define packet mirroring policy to capture traffic from source VMs (use tags or network filters).
  • Enable ALL_IPV4_TRAFFIC or restrict to specific ports; verify mirroring is active.

What success looks like

Enable ALL_IPV4_TRAFFIC or restrict to specific ports; verify mirroring is active.

Open GCP network sensor prep

Schritt 2

Deploy sensor VM with Terraform

Use the source bundle on this page to download the GCP network sensor Terraform project and deploy it.

  • Use the source bundle on this page to download the GCP network sensor Terraform project into deploy/gcp-network-sensor/ with `api_url` already prefilled for your deployed platform.
  • Copy terraform.tfvars.example to terraform.tfvars and customize: GCP project ID, region, VPC network, subnet, and API key.
  • Run: terraform init && terraform apply — creates instance group, firewall rules, service account, health checks, and managed identity.
  • The VMs automatically pull the sensor image and start ingestion.

What success looks like

The VMs automatically pull the sensor image and start ingestion.

GCP Deployment Guide

Schritt 3

Verify ingestion

Confirm the sensor is capturing traffic and streaming findings to the platform.

  • SSH to the VM: gcloud compute ssh [instance-name] --zone [zone]
  • Check container logs: docker logs -f $(docker ps -q)
  • Verify packet mirroring: look for 'listening on VXLAN' or 'capture interface ready'.
  • Check the platform Findings view for network-based alerts within 5 minutes.

What success looks like

Check the platform Findings view for network-based alerts within 5 minutes.

View Findings · Sign-in required

What success looks like

  • Findings are flowing to the platform with scanner=network (GCP) in the Findings view.
  • Packet mirroring policy shows 'ACTIVE' status.
  • Sensor VM CPU and memory utilization are within expected ranges.
Deploy Network Sensor on GCP | BlackShield Docs