Skip to main content
Skyhigh Security

Create an In VPC Scan for GCP

To run a DLP scan in your Google Cloud Platform (GCP) environment (instead of running it in Skyhigh CASB), you can now use a deployed POP to expand DLP control to GCP Cloud Shell in their native VPC environment. Think of In VPC Scans as in-tenant inspections of data.

A POP must be properly configured before you can run an In-VPC scan. Also, an IAM role must have permissions to allow the scan to run. An IAM role is created while adding a service account in GCP.

In-VPC scans are supported for AWS, Azure, and GCP. 


Make sure you have the following prerequisites in place before you configure PoP for GCP:

Configure PoP

Configure the PoP to run the In-VPC scan for GCP and perform the following activities.

Generate SSH Key

To generate SSH key:

1. Run the ssh-keygen command.

ssh-keygen -t rsa
  1. The command prompts you to enter the path to the file in which you want to save the key. 
  2. Save the base64 content of the key into a text file. This is the User Key file used in the next steps.

Upload the PoP Deployment Package

  1. Download the Pop Deployment package PoPPackage.tar from the GCP-managed service instance in Skyhigh CASB.
  2. Extract the PoPPackage.tar to get PoPDeployment.tar and Infrastructure.tar.  Expand the Infrastructure.tar further to get file.
  3. Upload the following files to a bucket in GCP. For example, cwpp-micro-pop-deployments is the target bucket name.
    • Infrastructure.tar
    • PoPDeployment.tar
    • User Key file

NOTE: Generate or upload the User Key file only once for the first time. For future deployments, you can use the same Key file.

Deployment from the GCP Cloud Shell

Copy the User key file and file from the GCP bucket to the user home directory. For example, /home/skyhighforgcp2

  • gsutil cp gs://cwpp-micro-pop-deployments/ 
  • gsutil cp gs://cwpp-micro-pop-deployments/gcp_key.txt key.txt

NOTE: Delete the existing file before copying it.

Configure GCP Parameters

Configure the following GCP parameters: 

  1. Execute the command:
sudo gcloud config set project <Project - ID>

For example, sudo gcloud config set project skyhigh2. Here, you can replace skyhigh2 with the required project name.

  1. Execute the command:
sudo gcloud config set compute/region <Region -ID>

For example, sudo gcloud config set compute/region us-central1.Here, you can replace us-central1 with the required region.

  1. Execute the command:
sudo gcloud config set compute/zone <ZONE ID>

For example, sudo gcloud config set compute/zone us-central1-a​​​​​​. Here, you can replace us-central1-a with the required zone.

Execute the PoP Deployment Command

Execute the following POP Deployment command:

For example, sample values are given for the command below.  You can replace the required values.

sudo bash --popname=mpop-gcp-demo  --machine-type=c2-standard-4  --storage= 
--zone=us-central1-a --region=us-central1 
--network=micropop-vpc --subnet=micropop-subnet-1 --popinfrapackage=gs://cwpp-micro-pop-deployments/Infrastructure.tar 
--popdeploymentpackage=gs://cwpp-micro-pop-deployments/PoPDeployment.tar --numberofsecondarynodes=2 

Once the PoP is deployed successfully, connect to the PoP master node and deploy DLP components.

Enable DLP on PoP

To connect to the PoP master node:

  1. Go to VM instances from the GCP Dashboard.
  2. Search for your PoP name in the Search bar. For example, mpop-gcp-demo.
  3. To connect to the master node, click the SSH icon.
  4. To validate the deployment of the CWPP component, run the basic commands such as get pods and validate the status of CWPP whether it is up and running. Also, make sure to run the command with sudo user: sudo su
  5. To execute the DLP components deployment command:
    • The default location of file is in the path:  /opt/McAfee/cwpp/pop/PoPDeployment/PoPCreation/gcp/
    • Browse the above file directory and run the command:

./ --addservice dlp-pop Yes <<pop name>>

  1. Once the DLP components are deployed successfully, wait up to 15 minutes to view the PoP with the enabled DLP.
  2. To check the DLP PoP status from the main node, execute the following:
  • To list the nodes, execute the command:

sudo kubectl get nodes -n cwpp 

Sample Results of the nodes:
NAME STATUS ROLES AGE VERSION Ready <none> 20d v1.18.17 Ready <none> 20d v1.18.17
micropop-gcp-pop-31-mar Ready <none> 20d v1.18.17
  • To list the deployed components, execute the command:

sudo kubectl get deployments -n cwpp

Sample Results of the deployed components:

cwpp-cicd 1/1 1 1 20d
micropop-dxl-bridge 2/2 2 2 20d
micropop-metis-agent 1/1 1 1 20d
micropop-redis 1/1 1 1 20d
micropop-scan-service 2/2 2 2 20d
  • To list the pods, execute the command:

sudo kubectl get pods -n cwpp 

NOTE: When the PoP is configured and no scans are executed, you might not find as many pods as listed below.

Sample results of the deployed components:

cwpp-cicd-6d6b4f965f-mdsrg 1/1 Running 1 20d
cwpp-connector-hhflt 1/1 Running 1 20d
cwpp-connector-rh99z 1/1 Running 0 20d
cwpp-connector-rn6rf 1/1 Running 1 20d
cwpp-connector-vkjmf 1/1 Running 1 20d
cwpp-logging-4rm2v 1/1 Running 1 14d
cwpp-logging-6vq9h 1/1 Running 1 14d
cwpp-logging-b976p 1/1 Running 0 14d
cwpp-logging-zs86r 1/1 Running 1 14d
cwpp-pop-manager-1618900500-fhw5j 0/1 Completed 0 13m
cwpp-pop-manager-1618900800-65cf4 0/1 Completed 0 8m1s
cwpp-pop-manager-1618901100-4qn6m 0/1 Completed 0 3m1s
cwpp-update 0/1 Evicted 0 6h47m
micropop-dxl-bridge-6fb4947cd9-7pxp8 1/1 Running 1 20d
micropop-dxl-bridge-6fb4947cd9-8r7hp 1/1 Running 1 20d
micropop-metis-agent-6c855b5877-2g5sh 2/2 Running 3 12d
micropop-orion-1413355-1617269619442-dlcn8 0/1 Completed 0 18d
micropop-orion-1413355-1617269656413-fktjz 0/1 Completed 0 18d
micropop-redis-794b447c98-plb2h 1/1 Running 1 20d
micropop-scan-service-8557b8c968-d9r7w 2/2 Running 2 18d
micropop-scan-service-8557b8c968-mqjpk 2/2 Running 0 14h

Create a Scan

To create an In VPC Scan: 

  1. Go to Policy > On-Demand Scan.
  2. Click Actions > Create a Scan.
  3. The Scan Creation Wizard is displayed. On the General Info page enter the following:
    • Scan Type. Select DLP & Malware. For In VPC scans, Malware is not supported.
    • Name. Enter a unique identifier so that you can rerun the scan later.
    • Description. Enter an optional description for the scan. 
    • Service Instance. Select the GCP instance you want to scan.
    • Hosted. Select In Tenant 
  1. Click Next.
  2. The Select Policies page displays the active DLP policies supported for In VPC scans. Select the policies you want to use, and click Next.
  3. In the Configure Scan screen, set the following:
    • Data Scope. Choose one of the following:
      • Full. Scans all content every time the scan is run.
      • Incremental. Scan only content that has changed since the last successful scan. 
      • Scan Dates. Select All, to scan all data. Or select Last X Days to limit the scan to the specified time period. 
    • Buckets:
      • Specify Buckets to Scan:
        • Use a Predefined Dictionary. Select a Predefined Dictionary from the menu. For more information, see Policy Dictionaries.
        • Manually Enter Buckets. Enter the buckets you want to scan in the box below.
    • For Skyhigh CASB PoP, click Select PoP and then choose an available pre-configured option from the side panel and click Done.
  4. Click Next.
  5. On the Schedule Scan page, select the schedule to run your scan and click Next:
    • None (On-Demand Only). Run the scan once now.
    • Daily. Run the scan once a day. Configure the time and time zone. 
    • Weekly. Run the scan once a week. Configure the day, time, and time zone. 
  6. On the Review and Activate page, review your settings for the On-Demand Scan, and click Save. Click Back to make changes.
  • Was this article helpful?