Skip to content

Enable VPC Flow Logs

To enable GCP VPC flow logs, follow the below steps.

Steps

  1. Navigate to VPC network in GCP console.
  2. Select the subnet to enable VPC flow log.
  3. Ensure that flow logs is turned on. If it is off, click on edit and turn flow logs on.
  4. Turn on flow log on all subnets where you want to enable flow log.
  5. Navigate to Cloud Storage section and create a storage bucket. You can leave everything as default when creating storage bucket.
    Note: Both DNS and VPC logs can share the same cloud storage bucket.
  6. Navigate to Logs Route section.
  7. Click on Create Sink
  8. Provide a sink name.
  9. Select "Cloud Storage bucket" for sink service.
  10. Select the cloud storage bucket that was created above.

  11. In "Choose logs to include in sink" section, put in this string: logName:(projects/<project-id>/logs/compute.googleapis.com%2Fvpc_flows)

    Below steps are the same as mentioned in DNS query log for GCP. If you are sharing cloud storage bucket, you only need to perform below steps once.

  12. Click Create Sink.

  13. Navigate to IAM -> Roles
  14. Create a custom role with this permission: storage.buckets.list

  15. Create another custom role with following permission:

    storage.buckets.get storage.objects.get storage.objects.list

  16. Add both custom role to the service account created for Valtix Controller. When adding the second custom role, put this condition:
    (resource.type == "storage.googleapis.com/Bucket" || resource.type == "storage.googleapis.com/Object") && resource.name.startsWith('projects/_/buckets/<cloud storage name>')

  17. Navigate to Pub/Subs
  18. Click on Create Topic
  19. Provide a Topic name and click create.
  20. Click on Subscriptions. You will find that there is a subscription created for the topic that was just created.
  21. Edit the subscription.
  22. Change Delivery type as Push.
  23. Once Push is selected, enter in the endpoint URL: https://prod1-webhook.vtxsecurityservices.com:8093/webhook/<tenant name>/gcp/cloudstorage. Tenant name is assigned by Valtix. To see tenant name, navigate to Valtix Controller and click on your username.
  24. Click Update.
  25. Create a cloud storage notification by opening a Google cloud shell and execute this command: gsutil notification create -t <TOPIC_NAME> -f json gs://<BUCKET_NAME>