Description: Canaries aren't just hardware devices. You can run Canaries inside your GCP Cloud infrastructure, using the same Console as the rest of your Canary fleet.
Note: Like other Cloud Canaries, a registered, but offline, Cloud Canary will still occupy a license. If you've terminated a bird on GCP, don't forget to decommission it on your Canary Console too. See guide here to decommission a Canary.
Note: For costs associated with running a GCP Cloud Canary. Click here.
Follow the steps below to create your GCP Cloud Canary:
If you have already setup a GCP Cloud Canary and are looking for steps on firewall rules. Click here.
Log in to your Console.
Click the + icon and click Add Canary.
Click Add GCP Canary.
This will show a window with the command line needed to launch the GCP image. Copy the command line to launch this GCP image.
Note: You'll need a command line shell, where the gcloud cli tool can be run to launch the instance. For the easiest way to do this, we recommend using the Google Cloud Shell in your browser.
Paste the command line that was copied in Step 4 into the Google Cloud Shell and change the <instance name> to the preferred name for your Canary.
Note: The project we are using is "canary-project-288916", but you can select the project to launch the GCP Canary in with the following command:
gcloud config set project [Your Project Name]
If there are other details about the instance you wish to configure, change the command line before running. (See the gcloud instance creation help for all the extra flags allowed.)
- Your instance type does not need to be high powered, n1-standard-1 is fine.
- The firewall rules you configure should allow traffic between the bird and the networks you want to monitor.
- Exposing your instance to the public internet will produce lots of noise. We recommend not opening up ports to 0.0.0.0/0.
note: If your subnet is shared from another project, you'll need to specify it in URL format.
gcloud compute instances create --image-family=thinkst-canary --image-project=thinkst-canary-abc123 --project=mytargetproject --subnet=projects/mymasterproject/regions/us-east4/subnetworks/shared-east4 mybirdname --zone=us-east4
You will be prompted to confirm the zone to deploy the instance. If this is the correct zone, type "Y" and hit enter.
Your bird will boot and configure itself.
On your Console you should see a pop-up to confirm your new Canary.
Click Add Canary.
Your GCP Canary will reboot and show online on your Console
You can set up your GCP Canary from within the Console using the remote management guide found here.
You're done! ;-)
Costs per GCP Canary Virtual Machine:
GCP Firewall Configuration (Optional):
Description: After deploying your GCP Cloud Canary you may find your Console flooded with Alerts or Alerts not being triggered at all.
This is likely due to overly permissive or strict firewall rules respectively.
You may need to adjust your GCP firewall rules in order to allow or deny traffic matching your Bird's personality.
In the below example we are going to create a rule for the VNC service on our Bird.
Head over to the GCP Firewall configuration to view the current rules in place.
Click on the 3-bar menu in the top right of your GCP dashboard, then hover over VPC network and finally select Firewall from the exposed menu.
In the right pane, you will see the default GCP firewall rules, these allow ICMP, RDP (port 3389) and SSH (port 22) from the internet.
This leaves your environment exposed on the internet and can in some cases even be a security risk.
All internal traffic is also allowed.
We may want to remove these default rules by selecting them and clicking delete, in order to create new rules and specify the traffic we actually want to allow.
Tagging a GCP VM
Before we can create a new rule, we will need to tag our Canary Cloud VM to later specify in our new rules. Tags allow us to identify which VM's our firewall rules will affect.
To tag an existing VM, head back over to your dashboard and select VM Instances in the left pane, then click on the name of your Canary instance in the VM Instances list.
Select Edit in the top menu bar.
Scroll down to Network tags and insert the name of the tag we will later reference in the rule creation.
In this example we are creating the tag vnc.
After you have inserted your tag, save the configuration by scrolling to the bottom of the page and clicking on Save.
Adding a custom GCP Firewall Rule
With our VM tagged, we are now ready to create a new firewall rule. Head back over to the firewall menu by clicking on the 3-bar menu in the top right of your GCP dashboard, then hover over VPC network and finally select Firewall from the exposed menu.
Now select CREATE FIREWALL RULE in the top menu bar.
Enter a name for your new rule, (in this example we are using vnc)
Then enter the name of the tag we previously created on our VM instance. (here we used vnc)
Ensure the Action on match option is set to Allow
Specify the source IP range you would like to allow traffic from, in this example we are opening the rule up to the internet, you may want to consider only allowing traffic from your environment.
Specify the port and protocol of your service. In this example we are setting up VNC which runs on TCP port 5900.
Finally click CREATE to save our changes.
You will now see the rule added to the top of the firewall list, and traffic is now allowed to port 5900 on our Canary VM.