GCP SDN connector using service account
FortiOS automatically updates dynamic addresses for GCP using a GCP SDN connector, including mapping attributes from GCP instances to dynamic address groups in FortiOS.
This topic describes one of multiple configuration methods available with this SDN connector type. See the More Links section on the right sidebar for other methods. |
To configure a GCP connector using the GUI:
- In FortiOS, go to Security Fabric > External Connectors.
- Click Create New, and select Google Cloud Platform (GCP).
Note you can create only one SDN Connector per connector type. For example, you can create one entry for GCP.
- Configure the connector as follows:
- Projects: Select Simple.
- Name: Enter the name of the GCP project. The VMs whose IP addresses you want to populate should be running within this project.
- Service account email: Enter the email address associated with the service account that calls APIs to the GCP project specified.
- Private key: Enter the private key statement as shown in the text box. For details, see Creating a GCP service account.
- Click OK.
Once the connector is successfully configured, a green indicator appears at the bottom right corner. If the indicator is red, the connector is not working. See Troubleshooting GCP SDN Connector.
- Create a dynamic firewall address for the configured GCP SDN connector:
- Go to Policy & Objects > Addresses. Click Create New, then select Address.
- Configure the address:
- Name: Enter the desired name.
- Type: Select Dynamic.
- Fabric Connector Type: Select Google Cloud Platform (GCP).
- Filter: The SDN connector automatically populates and updates only instances that match this filtering condition. Currently GCP supports the following filters:
id=<instance id>
: This matches an VM instance ID.name=<instance name>
: This matches a VM instance name.zone=<gcp zones>
: This matches a zone name.network=<gcp network name>
: This matches a network name.subnet=<gcp subnet name>
: This matches a subnet name.tag=<gcp network tags>
: This matches a network tag.label.<gcp label key>=<gcp label value>
: This matches a free form GCP label key and its value.
In the example, the filter is set as
'network=default & zone=us-central-1f’
. This configuration populates all IP addresses that belong to the default network in the zone us-central-1f.You can set filtering conditions using multiple entries with AND ("&") or OR ("|"). When both AND and OR are specified, AND is interpreted first, then OR.
Note that wildcards (such as the asterisk) are not allowed in filter values.
- Click OK.
The address has been created. Wait for a few minutes before the setting takes effect. You will know that the address is in effect when the exclamation mark disappears from the address entry. When you hover over the address, you can see the list of populated IP addresses.
If the exclamation mark does not disappear, check the address settings.