Step 3: Configure access
This section provides guidance on required post-deployment steps to complete your MDE installation.
Enable GKE cluster filestore driver
As of 1.4.0, the MDE GKE cluster uses a
filestore instance to store JVM heap dumps which enables the engineering team to
troubleshoot customer issues more effectively. Due to Terraform restrictions,
this add-on might not be enabled for the autopilot clusters of earlier versions.
If you experience that the pods are not starting up and they are in the
ContainerCreating state, then you need to enable the CSI driver for the
Filestore using the following command:
gcloud container clusters update CLUSTER_NAME \
--update-addons=GcpFilestoreCsiDriver=ENABLED --region REGION_NAME
Configure Identity-Aware Proxy
Identity-Aware Proxy (IAP) lets you securely connect to the internal IPs of the MDE API and web interface, as well as to restrict external access the MDE web interface to only authorized users if you deployed it with the External Load Balancer option.
To use IAP, you must first configure the OAuth screen and enable the IAP service API:
In the Google Cloud console, go to the IAP and click Enable API. This operation may take several minutes to complete.
Configure the OAuth consent screen for IAP:
In the Google Cloud console, go to the Security > Identity-Aware Proxy page and select the MDE deployment project.
If you haven't configured your project's OAuth consent screen, you'll be prompted to do so:
Click the Configure consent screen.
Select External user type and click Create.
Enter the Application name you want to display, for example
MDE.Under User support email, select the email address you want to display as a public contact. The email address must belong to the logged in user account or to a Google Group for which the logged in user is a manager or owner.
Go to Developer contact information, enter the email addresses you want Google to use to notify you about any changes to your project.
Add any optional details.
Click Save.
To change information on the OAuth consent screen later, such as the product name or email address, repeat the preceding steps to configure the consent screen.
SSH tunneling over IAP
To connect to the private IPs of the MDE services, you can tunnel them through the proxy over SSH, and it lets you use local tools like Postman for interacting with the MDE APIs.
Before you begin
Make sure you completed the general IAP configuration steps.
The standard MDE deployment
creates a proxy VM called mde-proxy. This machine can proxy
incoming requests to the MDE API gateway or
MDE web interface. This VM
only has a private IP, but IAP lets you to create a secure SSH
tunnel to this machine using
Identity-Aware Proxy (IAP) for TCP forwarding.
The rest of this section explains how to configure IAP for
tunneling traffic to the mde-proxy, and how to create a tunnel to it from your
workstation:
In the Google Cloud console, go to the IAP and click SSH AND TCP RESOURCES
Grant users who are authorized to use IAP to connect to
mde-proxyover IAP:Before users can use IAP to connect to
mde-proxy, grant them theroles/iap.tunnelResourceAccessorrole with the following instructions:Select mde-proxy from the list.
Click Add Principal in the right side panel.
Type the email of the principal you want to grant access.
Select the
IAP-secured Tunnel Userrole.
Create a tunnel to the MDE API using the following command:
export MDE_PROXY_ZONE=$(gcloud compute instances list --filter="mde-proxy" \ --format="value(zone)") gcloud compute ssh mde-proxy \ --zone "$MDE_PROXY_ZONE" --tunnel-through-iap \ -- -N -L 8080:api.mde.cloud.google.com:80After running the command, the MDE APIs are accessible under
http://localhost:8080.Create a tunnel to the MDE web interface.
If you created a tunnel to the MDE API in Step 3, you can open a new terminal to execute the commands later. The SSH tunnels to the MDE API and MDE web interface can run in parallel.
export MDE_PROXY_ZONE=$(gcloud compute instances list --filter="mde-proxy" \ --format="value(zone)") gcloud compute ssh mde-proxy \ --zone "$MDE_PROXY_ZONE" --tunnel-through-iap \ -- -N -L 3000:ui.mde.cloud.google.com:80After running the command, the MDE web interface is accessible under
http://localhost:3000.
Configure access to the web interface External HTTP Load Balancer
In this section, you will configure access to the MDE web interface External HTTP Load Balancer using IAP.
If you enabled the External HTTP Load balancer for the MDE web interface, you must use IAP to restrict access to the application to only authorized users.
Before you begin
Make sure you complete the following prerequisites:
- You deployed MDE with the MDE web interface.
- You deployed the MDE web interface with an External HTTP Load Balancer.
- You completed the general IAP configuration steps.
Steps
- In the Google Cloud console, go to the IAP.
- Click Applications.
Select the
mde/mde-ui-ext-serviceservice.Click the Enable toggle.
Read and accept the configuration requirements.
Click Turn On. This operation might take several minutes.
Grant users who are authorized to use IAP to access the MDE web interface:
- Click Add Principals in the right side panel.
- Type the email of the principal you want to grant access.
- Select the
IAP-secured Web App Userrole.
Configure DNS for MDE web interface
If you enabled the External HTTP Load balancer for the MDE
web interface, you must set the A record of the domain name you assigned to the
variable MDE_UI_DOMAIN_NAME in input.tfvars to the IP
address of the external HTTP load balancer that was deployed to finish
provisioning the Google-managed SSL certificate.
You can look up the IP address of the external HTTP balancer with the following command:
gcloud compute addresses list --filter="name~'.*mde-ui.*'" --format="value(address)" --global
Consult your DNS host for details on how to create an A record.