Using Fortanix Data Security Manager For VMware Encryption on GCP

1.0   Introduction

This article describes how to integrate Fortanix Data Security Manager (DSM) for VMware Encryption on GCP. It also contains the information that a user needs to:

  • Deploy Fortanix DSM on Google Cloud Platform
  • Perform Virtual Private Cloud (VPC) Peering with GCVE-VPC
  • Configure GCVE-VPC vCenter

1.1   Before you Begin

Refer to Google documentation for the Google Cloud account creation and other steps.

2.0   Prerequisites

  • Fortanix DSM installation package for GCP
  • VM Type: "n1-standard-4" or higher
  • VM Count: 3 or higher

3.0   Deploying Fortanix Data Security Manager on GCP

3.1   Creating a VPC Network

For security purposes, create a new network. You can control who has access by adding firewall rules or by using another access control method.

If your project has a default VPC network, do not use it. Instead, create your own VPC network so that the only firewall rules in effect are those that you create explicitly.

Create a new VPC with a subnet IP range different from GCVE-VPC.

vpc_create1.png
                                                  Figure 1: Create New VPC

3.2   Create an Instance Template

  1. In the Create an instance page, select the option New VM instance from template in the left panel and then in the Machine type field select n1-standard-4 (4 vCPU, 15GB memory) or higher.
    instance_template_1a.png
                                                      Figure 2: Select Machine Type
  2. In the Boot disk field, select Ubuntu 16.04 LTS + 200GB SSD.
  3. Click Create to create the Instance Template. instance_template_2.png
                                                      Figure 3: Add boot disc details

3.3   Create an Instance Group

Create an “Instance Group” using the “Instance Template” created in the previous step.

instance_group_1.pnginstance_group_2.png
                                Figure 4: Disable auto-scaling and select no. of DSM cluster

  1. In the Create an instance group page, select the option New managed instance group in the left panel.
  2. Disable Auto-scaling.
  3. In the Number of instances enter the number of Fortanix DSM cluster nodes.
  4. Click Create. The VMs specified will be created after this step.

3.4   Create Health

  1. In the Create a health check page, check for port 443.
  2. Click Create to create a health check. Health_check.png
                                                      Figure 5: Check for Port

3.5   Create an Internal TCP Load Balancer

  1. In the Create a load balancer page, under Internal facing or internal only field, select the option Only between my VMs. internal_lb1.png
                                                    Figure 6: Internal Load Balancer Configuration
  2. Click Continue to create a new internal load balancer.
  3. Select Backend configuration in the left panel,
    1. Select the “VPC” created in Section 3.1.
    2. Select the Instance group created in Section 3.3.
    internal_lb21.png
                                                      Figure 7: Backend Configuration
  4. Select Frontend configuration in the left panel,
    1. Select the “VPC” created in Section 3.1.
    2. Reserve an internal IP address in the Internal IP
    3. Expose ports "443,4445, and 5696" on this load-balancer in the Port number
    internal_lb31.png
                                                      Figure 8: Frontend Configuration

3.6   Create an External Load Balancer

  1. In the Create a load balancer page, under Internal facing or internal only field, select the option From internet to my VMs.
  2. Click Continue.
    external_lb1.png
                                                      Figure 9: External Load Balancer Configuration
  3. Select Backend configuration in the left panel,
    1. Select the Region.
    2. Select the Instance group created in Section 3.3.
    3. Select the Health check created in Section 3.4.
    external_lb21.png
                                                      Figure 10: Backend Configuration
  4. Select Frontend configuration in the left panel,
    1. Select the “VPC” created in Section 3.1.
    2. Reserve a public IP address in the IP
    3. Expose ports "443,4445, and 5696" on this load-balancer.
    external_lb31.png
                                                      Figure 11: Frontend Configuration

3.7   Add a Firewall Rule

By default, an implied firewall rule blocks incoming connections from outside your VPC network. To allow incoming connections, set up a firewall rule for your VM. After an incoming connection is established with a VM, traffic is permitted in both directions over that connection.

You can create a firewall rule to allow external access to specified ports, or to restrict access between VMs on the same network.

  1. In the Cloud console, go to the Firewall rules page.
  2. Add a firewall rule to allow the ports "443,4445, and 5696".
  3. Select the “VPC” created as part of this process.
  4. Restrict to source IP based on the security requirements. firewall1.png
                                                   Figure 12: Add firewall rule

3.8   Create a DNS

Create a DNS for internal and external load balancers.

  • This can be either done in Google DNS or outside.
  • For this example, sdkms.vpc.gcloud will be your VPC reachable endpoint of Fortanix DSM.
  • Also, sdkms.external.gcloud will be your internet reachable endpoint.

3.9   Download and Install Fortanix Data Security Manager

Install the Fortanix DSM software on each VM. Refer to the Fortanix Data Security Manager Installation Guide Section 4.0 for the step-by-step installation steps.

For the GCP compatible installation package contact Fortanix Support.

3.10   UI / KMIP Access

  • The UI can be accessed using sdkms.external.gcloud.
  • The KMIP for VMware can be accessed using sdkms.vpc.gcloud.

4.0   VPC Peering with GCVE-VPC

The following are instructions to establish VPC Peering between Project ID=fortanix, VPC name = gcve-vpc and the VMWare SDDC (Software-Defined Data Center).

4.1   Enable Service Networking APIs

To enable Service Networking APIs, use the following command,

gcloud services enable servicenetworking.googleapis.com --project=fortanix

4.2   Enable Service Management APIs

To enable Service Management APIs use the command,

gcloud services enable serviceconsumermanagement.googleapis.com --project=fortanix

VPC-peering-part1.png
                                           Figure 13: Enable Service Networking and Management APIs

4.3   Reserve an IP Block for VPN Gateway Address Space

Next, reserve an IP block used for VPN Gateway Address Space (prefix length must be 28). This range is already assigned to your environment (192.168.1.0/28).

 

gcloud beta compute addresses create gcvs-rsvd-vpngw --project=fortanix --addresses=192.168.1.0 --prefix-length=28 --description="IP range for VMware Private Cloud VPN gateway" --purpose=VPC_PEERING --network=gcve-vpc –global

4.4   Reserve an IP Block for Management Address Space

Next, reserve an IP block used for VPN Management Address space for your VMware Private Cloud. This range is already assigned to your environment (192.168.0.0/24).

gcloud beta compute addresses create gcvs-rsvd-mgmt --project=fortanix --addresses=192.168.0.0 --prefix-length=24 --description="IP range for VMware Private Cloud Network" --purpose=VPC_PEERING --network=gcve-vpc --global

VPC-peering-part2.png
                               Figure 14: Reserve IP block for networking and management address space

4.5   Create a VPC Peering

Create a VPC peering using the following command:

gcloud beta services vpc-peerings connect --project=fortanix --service=vpc-peering.gcloud.gcve-vpc.com --network=gcve-vpc --ranges=gcvs-rsvd-vpngw,gcvs-rsvd-mgmt

4.6   Accept the VPC Peering Request

After creating the VPC peering connection, wait for the GCP-GCVE-VPC to accept the VPC-peering request.

5.0   Configuring GCVE-VPC vCenter

To configure GCVE-VPC vCenter, follow the steps described below:

  1. Configure a new account/group/app on the Fortanix DSM.
  2. Configure internal IP sdkms.vpc.gcloud into vCenter Key-Management-Servers.
    1. In the “Applications” page and click “VIEW CREDENTIALS” of the app you just created. Then, click the “Username/Password” tab and note the Username and Password to configure KMS in vCenter.
    2. Establish trust with Fortanix DSM : Make vCenter trust KMS.
    vSAN_enable.png
                                                            Figure 15: Make vCenter trust KMS trust_established1.png
                                                            Figure 16: Trust Established

    Make KMS Trust vCenter:

    vcenter_trust_kms1.png
                                                            Figure 17: Make KMS trust vCenter

    Choose a Certificate:

    Choose_certificate1.png
                                                                    Figure 18: Choose a certificate

    Download vCenter Certificate

    Download_vcenter_certificate1.png
                                                                    Figure 19: Download vCenter certificate

    Certificate_configured1.png
                                                                    Figure 20: Certificate configured

    For more information refer to the article Configuring KMS in vCenter.

  3. Enable vSAN encryption.
    1. In the VMware vSphere Client, go to Cluster->vSAN->Services. Enable__vsan_encryption3.png
                                                                  Figure 21: Enable vSan Encryption
    2. Enable vSAN Encryption. Enable__vsan_encryption2.png
                                                                  Figure 22: Enable vSan Encryption
    Fortanix DSM is ready for use with vSAN encryption and vCenter VM encryption. A tamper proof audit log captures all the crypto operations performed by the application. Config_success1.png
                                     Figure 23: Fortanix DSM successfully configured
    For VSAN encryption, new security keys are created in Fortanix DSM using the KMIP protocol. Config_success1.1.png
                                                                Figure 24: Configuration successful

 

Was this article helpful?
0 out of 0 found this helpful