Using Fortanix Data Security Manager For VMware Encryption on GCP

1.0   Introduction

This article describes how to integrate Fortanix Data Security Manager (DSM) for VMware Encryption on GCP. It also contains the information that a user needs to:

• Deploy Fortanix DSM on Google Cloud Platform
• Perform Virtual Private Cloud (VPC) Peering with GCVE-VPC
• Configure GCVE-VPC vCenter

1.1   Before you Begin

Refer to Google documentation for the Google Cloud account creation and other steps.

2.0   Prerequisites

• Fortanix DSM installation package for GCP
• VM Type: "n1-standard-4" or higher
• VM Count: 3 or higher

3.0   Deploying Fortanix Data Security Manager on GCP

3.1   Creating a VPC Network

For security purposes, create a new network. You can control who has access by adding firewall rules or by using another access control method.

If your project has a default VPC network, do not use it. Instead, create your own VPC network so that the only firewall rules in effect are those that you create explicitly.

Create a new VPC with a subnet IP range different from GCVE-VPC.

                                                  Figure 1: Create New VPC

3.2   Create an Instance Template

1. In the Create an instance page, select the option New VM instance from template in the left panel and then in the Machine type field select n1-standard-4 (4 vCPU, 15GB memory) or higher.
   
                                                     Figure 2: Select Machine Type
2. In the Boot disk field, select Ubuntu 16.04 LTS + 200GB SSD.
3. Click Create to create the Instance Template.
                                                     Figure 3: Add boot disc details

3.3   Create an Instance Group

Create an “Instance Group” using the “Instance Template” created in the previous step.

                                Figure 4: Disable auto-scaling and select no. of DSM cluster

1. In the Create an instance group page, select the option New managed instance group in the left panel.
2. Disable Auto-scaling.
3. In the Number of instances enter the number of Fortanix DSM cluster nodes.
4. Click Create. The VMs specified will be created after this step.

3.4   Create Health

1. In the Create a health check page, check for port 443.
2. Click Create to create a health check.
                                                     Figure 5: Check for Port

3.5   Create an Internal TCP Load Balancer

1. In the Create a load balancer page, under Internal facing or internal only field, select the option Only between my VMs.
                                                   Figure 6: Internal Load Balancer Configuration
2. Click Continue to create a new internal load balancer.
3. Select Backend configuration in the left panel,
   1. Select the “VPC” created in Section 3.1.
   2. Select the Instance group created in Section 3.3.
   
                                                     Figure 7: Backend Configuration
4. Select Frontend configuration in the left panel,
   1. Select the “VPC” created in Section 3.1.
   2. Reserve an internal IP address in the Internal IP
   3. Expose ports "443,4445, and 5696" on this load-balancer in the Port number
   
                                                     Figure 8: Frontend Configuration

3.6   Create an External Load Balancer

1. In the Create a load balancer page, under Internal facing or internal only field, select the option From internet to my VMs.
2. Click Continue.
   
                                                     Figure 9: External Load Balancer Configuration
3. Select Backend configuration in the left panel,
   1. Select the Region.
   2. Select the Instance group created in Section 3.3.
   3. Select the Health check created in Section 3.4.
   
                                                     Figure 10: Backend Configuration
4. Select Frontend configuration in the left panel,
   1. Select the “VPC” created in Section 3.1.
   2. Reserve a public IP address in the IP
   3. Expose ports "443,4445, and 5696" on this load-balancer.
   
                                                     Figure 11: Frontend Configuration

3.7   Add a Firewall Rule

By default, an implied firewall rule blocks incoming connections from outside your VPC network. To allow incoming connections, set up a firewall rule for your VM. After an incoming connection is established with a VM, traffic is permitted in both directions over that connection.

You can create a firewall rule to allow external access to specified ports, or to restrict access between VMs on the same network.

1. In the Cloud console, go to the Firewall rules page.
2. Add a firewall rule to allow the ports "443,4445, and 5696".
3. Select the “VPC” created as part of this process.
4. Restrict to source IP based on the security requirements.
                                                  Figure 12: Add firewall rule

3.8   Create a DNS

Create a DNS for internal and external load balancers.

• This can be either done in Google DNS or outside.
• For this example, sdkms.vpc.gcloud will be your VPC reachable endpoint of Fortanix DSM.
• Also, sdkms.external.gcloud will be your internet reachable endpoint.

3.9   Download and Install Fortanix Data Security Manager

Install the Fortanix DSM software on each VM. Refer to the Fortanix Data Security Manager Installation Guide Section 4.0 for the step-by-step installation steps.

For the GCP compatible installation package contact Fortanix Support.

3.10   UI / KMIP Access

• The UI can be accessed using sdkms.external.gcloud.
• The KMIP for VMware can be accessed using sdkms.vpc.gcloud.

4.0   VPC Peering with GCVE-VPC

The following are instructions to establish VPC Peering between Project ID=fortanix, VPC name = gcve-vpc and the VMWare SDDC (Software-Defined Data Center).

4.1   Enable Service Networking APIs

To enable Service Networking APIs, use the following command,

gcloud services enable servicenetworking.googleapis.com --project=fortanix

4.2   Enable Service Management APIs

To enable Service Management APIs use the command,

gcloud services enable serviceconsumermanagement.googleapis.com --project=fortanix

                                           Figure 13: Enable Service Networking and Management APIs

4.3   Reserve an IP Block for VPN Gateway Address Space

Next, reserve an IP block used for VPN Gateway Address Space (prefix length must be 28). This range is already assigned to your environment (192.168.1.0/28).

 

gcloud beta compute addresses create gcvs-rsvd-vpngw --project=fortanix --addresses=192.168.1.0 --prefix-length=28 --description="IP range for VMware Private Cloud VPN gateway" --purpose=VPC_PEERING --network=gcve-vpc –global

4.4   Reserve an IP Block for Management Address Space

Next, reserve an IP block used for VPN Management Address space for your VMware Private Cloud. This range is already assigned to your environment (192.168.0.0/24).

gcloud beta compute addresses create gcvs-rsvd-mgmt --project=fortanix --addresses=192.168.0.0 --prefix-length=24 --description="IP range for VMware Private Cloud Network" --purpose=VPC_PEERING --network=gcve-vpc --global

                               Figure 14: Reserve IP block for networking and management address space

4.5   Create a VPC Peering

Create a VPC peering using the following command:

gcloud beta services vpc-peerings connect --project=fortanix --service=vpc-peering.gcloud.gcve-vpc.com --network=gcve-vpc --ranges=gcvs-rsvd-vpngw,gcvs-rsvd-mgmt

4.6   Accept the VPC Peering Request

After creating the VPC peering connection, wait for the GCP-GCVE-VPC to accept the VPC-peering request.

5.0   Configuring GCVE-VPC vCenter

To configure GCVE-VPC vCenter, follow the steps described below:

1. Configure a new account/group/app on the Fortanix DSM.
2. Configure internal IP sdkms.vpc.gcloud into vCenter Key-Management-Servers.
   1. In the “Applications” page and click “VIEW CREDENTIALS” of the app you just created. Then, click the “Username/Password” tab and note the Username and Password to configure KMS in vCenter.
   2. Establish trust with Fortanix DSM : Make vCenter trust KMS.
   
                                                           Figure 15: Make vCenter trust KMS
                                                           Figure 16: Trust Established

   Make KMS Trust vCenter:

   
                                                           Figure 17: Make KMS trust vCenter

   Choose a Certificate:

   
                                                                   Figure 18: Choose a certificate

   Download vCenter Certificate

   
                                                                   Figure 19: Download vCenter certificate

   
                                                                   Figure 20: Certificate configured

   For more information refer to the article Configuring KMS in vCenter.

3. Enable vSAN encryption.
   1. In the VMware vSphere Client, go to Cluster->vSAN->Services.
                                                                  Figure 21: Enable vSan Encryption
   2. Enable vSAN Encryption.
                                                                  Figure 22: Enable vSan Encryption
   Fortanix DSM is ready for use with vSAN encryption and vCenter VM encryption. A tamper proof audit log captures all the crypto operations performed by the application.
                                    Figure 23: Fortanix DSM successfully configured
   For VSAN encryption, new security keys are created in Fortanix DSM using the KMIP protocol.
                                                               Figure 24: Configuration successful