Connect to GCP Projects

Cloud Rewind requires a way to be authenticated and authorized to connect to the customer GCP account to provide resilience for their cloud application environment.

Pre-requisites

For onboarding the GCP project in Cloud Rewind, a service account with few roles and permissions in GCP should be enabled. The onboarding user requires the listed permissions in the GCP project,

Project IAM Admin
Service Usage Admin

Procedure

Navigate to "Cloud Connections", click "Add Cloud Connection," and choose "GCP Cloud"
Fill in the Name and Description for the connection
Enter the GCP project ID and select the operational regions where your protection and recovery operations need to be done
Enable the services required
Execute the IAM permissions in the GCP cloud console
Acknowledge the execution in Cloud Rewind
Register the cloud and wait for the progress of the connection to see the discovered resources

If you have technical challenges in the above steps, you may have problems with one or more of the following items

Permission to add a role and grant permissions via GCP IAM
There could be a possibility of error in the execution of commands, which will help you to identify the cause
The newly created role is removed or blocked before the discovery process
There is a network outage or GCP response delay that causes the discovery to delay longer due to Exponential Backoff

Cloud Connection Dashboard and Actions

After successfully completing the Cloud Connection discovery process, all selected operational region resources will be listed at the bottom of your Cloud Connection summary page.

Additionally, the following options can be accessed under the Cloud Connection Actions button,

Edit: This option allows users to refine their Cloud Connection settings with flexibility. Users can update the Cloud Connection name, add new operational regions, and modify the selection of cloud services to be discovered.

Disable: With the disable option, users gain control over their Cloud Connection discovery process. This functionality enables users to temporarily suspend Cloud Connection discovery and reactivate it when needed.

Recovery Profile: This feature enables users to create GCP Recovery Profiles. With this feature, users can conduct recovery testing with preemptible VMs, effectively reducing their recovery costs.

GCP Permissions: This feature grants users to effortlessly update Cloud Connection permissions as required.

Download Report: Enhancing visibility and insights, this option generates a comprehensive summary report file detailing Cloud Connection resources, regions, and additional relevant details.

Delete: Users can utilize the delete option to permanently remove selected Cloud Connections.

Sync Now: This option triggers immediate Cloud Connection discovery when needed.

GCP Connection Alerts

The Alerts tab on the GCP cloud connection page lists any errors that might occur during the discovery process. For more information, see Alerts.

GCP Permissions

Cloud Rewind gets four sets of permissions during Cloud Connection creation.

Discovery
Protection
Recovery
Reset

Operation	Permissions
Discovery	Discovery Assets Default Access Discovery Compute Default Access Discovery Network Services Default Access Discovery CloudSQL Default Access
Protection	Protection Compute Default Access Protection CloudSQL Default Access Retention Compute Default Access
Recovery	Recovery Deployment Manager Default Access Recovery Compute Default Access Recovery CloudSQL Default Access Recovery Network Services Default Access
Reset	Reset Deployment Default Access Reset Compute Default Access Reset Network Services Default Access Reset CloudSQL Default Access

Note

When a particular role's permission is revoked manually in the GCP console, the set of operations associated with that role will fail.

Discovery Assets Default Access

      permissions:
        - cloudasset.assets.exportResource
        - storage.buckets.get

Discovery Compute Default Access

      permissions:
        - compute.disks.get
        - compute.disks.list
        - compute.zones.list
        - compute.regions.get
        - compute.instances.get
        - compute.instances.list
        - compute.diskTypes.get
        - compute.diskTypes.list
        - compute.disks.getIamPolicy
        - compute.disks.setIamPolicy
        - compute.backendServices.get
        - compute.machineImages.get
        - compute.machineTypes.get
        - compute.machineTypes.list
        - compute.targetHttpProxies.get
        - compute.targetPools.list
        - compute.instanceGroups.get
        - compute.regionBackendServices.get

Discovery Network Services Default Access

      permissions:
        - compute.firewalls.list
        - compute.firewalls.get
        - compute.networks.get
        - compute.subnetworks.get
        - compute.forwardingRules.get
        - compute.globalForwardingRules.get
        - compute.urlMaps.get

Discovery CloudSQL Default Access

      permissions:
        - cloudsql.instances.get
        - cloudsql.instances.list

Protection Compute Default Access

      permissions:
        - compute.disks.createSnapshot
        - compute.disks.update
        - compute.disks.use
        - compute.machineImages.create
        - compute.snapshots.create
        - compute.snapshots.get
        - compute.snapshots.list
        - compute.snapshots.setLabels

Protection CloudSQL Default Access

      permissions:
        - cloudsql.backupRuns.create
        - cloudsql.backupRuns.get
        - cloudsql.backupRuns.list

Retention Compute Default Access

      permissions:
        - compute.snapshots.delete

Retention CloudSQL Default Access

      permissions:
        - cloudsql.backupRuns.delete

Recovery Deployment Manager Default Access

      permissions:
        - deploymentmanager.deployments.create
        - deploymentmanager.resources.get
        - deploymentmanager.resources.list

Recovery Compute Default Access

      permissions:
        - compute.disks.create
        - compute.disks.get
        - compute.disks.list
        - compute.zones.list
        - compute.regions.get
        - compute.instances.get
        - compute.instances.list
        - compute.diskTypes.get
        - compute.diskTypes.list
        - compute.disks.getIamPolicy
        - compute.disks.setIamPolicy
        - compute.backendServices.get
        - compute.machineImages.get
        - compute.machineTypes.get
        - compute.machineTypes.list
        - compute.targetHttpProxies.get
        - compute.targetPools.list
        - compute.instanceGroups.get
        - compute.regionBackendServices.get
        - compute.instances.setMachineResources
        - compute.instances.setMachineType

Recovery CloudSQL Default Access

      permissions:
        - cloudsql.instances.restoreBackup
        - cloudsql.instances.get
        - cloudsql.instances.list

Recovery Network Services Default Access

      permissions:
        - compute.globalAddresses.get
        - compute.networks.get

Reset Deployment Default Access

      permissions:
        - deploymentmanager.deployments.delete

Reset Compute Default Access

      permissions:
        - compute.instanceGroups.update
        - compute.disks.delete

Reset Network Services Default Access

      permissions:
        - deploymentmanager.deployments.delete

Reset CloudSQL Default Access

      permissions:
        - deploymentmanager.deployments.delete

Note

This list of permissions may increase as Cloud Rewind adds more services for protection.