BLACKSHIELD

Guía pública

Deploy Network Sensor on GCP

Stream live traffic using Packet Mirroring, deploy sensor VM with Terraform, and ingest findings via the managed SIEM connector. Audiencia: Platform engineers, GCP administrators, security engineers. Tiempo típico de configuración: 10 minutes.

quickstart

Úsalo si

Stream live traffic using Packet Mirroring, deploy sensor VM with Terraform, and ingest findings via the managed SIEM connector.

Audience
Platform engineers, GCP administrators, security engineers
Typical time
10 minutes

Antes de comenzar

  • You have a GCP project with production VMs running workloads.
  • You have created an ingestion API key in Settings → API Keys with Ingestion scope.
  • You have the gcloud CLI configured with appropriate permissions to create compute resources.

Camino rápido

Copy a working starter, run it in your environment, then come back here for the deeper rollout details.

Obtén el bundle de código fuente

Descarga los archivos exactos usados en esta guía o ejecuta el instalador de un solo comando para escribirlos localmente antes del despliegue.

GCP network sensor Terraform source

Creates the GCP Terraform project under `deploy/gcp-network-sensor/` with the current platform API URL prefilled for packet mirroring-based network telemetry ingestion.

deploy/gcp-network-sensor/
bash
BLACKSHIELD_NETWORK_SENSOR_IMAGE=public.ecr.aws/blackshield-security/network-sensor:1.0.0 \
BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com \
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/gcp-network-sensor.sh)
cd deploy/gcp-network-sensor
Descargar fuente

Ejecuta esto

gcp-packet-mirroring.sh

bash
#!/bin/bash
# Set up GCP Packet Mirroring

PROJECT_ID="my-project"

gcloud compute health-checks create tcp network-sensor-health \
  --port=8080 \
  --project="$PROJECT_ID"

Entender y personalizar

Use the guided steps below when you want to tailor the rollout, validate ownership, or expand the deployment safely.

Paso 1

Configure Packet Mirroring

Set up packet mirroring policy to duplicate traffic from production VMs to the sensor instance.

  • Create a backend service with health check (TCP port 8080 or custom port).
  • Create a forwarding rule and internal load balancer as the packet mirroring target.
  • Define packet mirroring policy to capture traffic from source VMs (use tags or network filters).
  • Enable ALL_IPV4_TRAFFIC or restrict to specific ports; verify mirroring is active.

Cómo se ve el éxito

Enable ALL_IPV4_TRAFFIC or restrict to specific ports; verify mirroring is active.

Open GCP network sensor prep

Paso 2

Deploy sensor VM with Terraform

Use the source bundle on this page to download the GCP network sensor Terraform project and deploy it.

  • Use the source bundle on this page to download the GCP network sensor Terraform project into deploy/gcp-network-sensor/ with `api_url` already prefilled for your deployed platform.
  • Copy terraform.tfvars.example to terraform.tfvars and customize: GCP project ID, region, VPC network, subnet, and API key.
  • Run: terraform init && terraform apply — creates instance group, firewall rules, service account, health checks, and managed identity.
  • The VMs automatically pull the sensor image and start ingestion.

Cómo se ve el éxito

The VMs automatically pull the sensor image and start ingestion.

GCP Deployment Guide

Paso 3

Verify ingestion

Confirm the sensor is capturing traffic and streaming findings to the platform.

  • SSH to the VM: gcloud compute ssh [instance-name] --zone [zone]
  • Check container logs: docker logs -f $(docker ps -q)
  • Verify packet mirroring: look for 'listening on VXLAN' or 'capture interface ready'.
  • Check the platform Findings view for network-based alerts within 5 minutes.

Cómo se ve el éxito

Check the platform Findings view for network-based alerts within 5 minutes.

View Findings · Requiere inicio de sesión

Cómo se ve el éxito

  • Findings are flowing to the platform with scanner=network (GCP) in the Findings view.
  • Packet mirroring policy shows 'ACTIVE' status.
  • Sensor VM CPU and memory utilization are within expected ranges.
Deploy Network Sensor on GCP | Docs de BlackShield