ZAIO deployment on GCP
This is a guide to run a fully functional Zentral instance on Google Cloud Platform. We will be using the Zentral all in one pre-build image.
Note: We also provide a guide for an AWS based setup - please look here.
To follow this tutorial, you will need an admin access to the Google Cloud Platform console (Getting started)
Note: This tutorial is only a first step toward a production deployment on Google Cloud.
Google Cloud Platform setup
You will need to pick a project, and think about a region where you want to store the image, and start the instance. For the rest of this tutorial, it will be
My First Project and
Import the image in your project
Open the Create an image form.
In the Name field, specify a unique name for the image. We will use
Click the Source menu and select Cloud Storage file.
Enter the path to the public Zentral all in one image file:
Pick a location.
Click on the Create button to import the image. The process can take several minutes. The image is now included on the Images page.
Setup the firewall rules
Note: We will be working with the default VPC. This is not recommended for production.
At the minimum, for this tutorial, we will need access to the 22, 80, and 443 ports. If you want to test the filebeat / logstash log shipping, you will also need access to the 5044 port.
The default rules on the default network should be enough. You will need to add a rule to open the 5044 port. You can skip this section if you do not intend to test filebeat / logstash.
In the Name field, specify a unique name for your rule. We will use
Make sure that you attach the rule to the correct network (
default per default).
Click the Targets menu and select Specified target tags
In the Target tags field, specify a unique name for your tag. We will use
logstash. We will use this network tag on the instance later, to attach this firewall rule to it.
Click the Source filter menu and select IP ranges
In the Source IP ranges specify
0.0.0.0/0 as the range of IP addresses allowed.
Note: this rule open the 5044 to the world. You can be more restrictive if you like
In the Protocols and ports menu, select Specified protocols and ports, tick the tcp bock, and specify 5044 as the port number.
Click on the Create button to create the firewall rule.
Create the instance
Open the Create an instance form.
In the Name field, specify a unique name for your instance. We will use
Select a Region and a Zone.
The default General-purpose Machine family, and n1-standard-1 Machine type are OK to test Zentral.
In the Boot disk section, click on the [Change] button, go to the [Custom images] tab. Select the
zentral-all-in-one image that you created at the beginning of this tutorial.
You can start with one 10GB SSD persistent disk. But that would be only enough to store a limited amount of events. As a rule of thumb, you will need about 7GB + 1GB for every million of events stored, but that can vary a lot depending on your inventory sources, and the kind of events you are collecting.
This is what you should see in the Boot disk menu:
We will use the Compute engine default service account and the default access scopes. Again, not recemmended for production.
In the Firewall section, tick the Allow HTTP traffic and Allow HTTPS traffic boxes.
If you want to try the filebeat / logstash functionality, you need to add the
logstash network tag you have created to the instance, in order to attach the firewall rule. You can skip this step if you do not want to try this integration. Expand the Management, security, disks, networking, sole tenancy section, open the Networking tab, and add logstash in the Network tags field.
Click on the Create button to launch the instance.
Setup the domain name(s) for your instance
Zentral requires at leat one domain name resolving to the IP address of the launched instance. If you want to ship logs with filebeat, and experiment with the MDM, you will need a second domain name (to separate the endpoints requiring client certificate authentication).
- In the Google Cloud console, find the public IP address of the instance that is starting. No need to wait for the instance to be fully up.
- Use this IP to setup a first required A record. (zentral.example.com for the rest of this tutorial)
- You can setup a second A record pointing to be able to test all the Zentral functionalities. (zentral-clicertauth.example.com for the rest of this tutorial)
- Test the resolution of these records! You cannot move on to the next section before they are setup.
Log onto your instance
You can open a ssh session via the Google Cloud. Click on the instance in the list of all instance. At the top of the instance page, open the Remote access / SSH menu and select Open in browser window. A new tab will open and a ssh session will start.
Once logged in, you can use a command line tool to setup your instance. Because this last step is the same for a AWS deployment, we have kept it on a separate wiki page.