FenixDFA GCP Backup and Disaster Recovery Integration Guide
Overview
This document describes the integration process between FenixDFA and Google Cloud Platform (GCP) Backup and Disaster Recovery service, detailing the required configuration steps and data needed for successful integration.
Prerequisites
- Active GCP project with Backup and Disaster Recovery service enabled
- Service account with appropriate permissions
- Google Cloud SDK or access to GCP Console
- Enabled Cloud Logging API for capturing execution logs
Configuration Process
1. GCP Project Setup
- Ensure that the Backup and Disaster Recovery service is enabled in your GCP project.
- Navigate to the GCP Console and verify that backup vaults and backup plans are accessible.
- Enable the Cloud Logging API to capture execution logs.
2. Service Account Configuration
-
Create a Service Account:
- Go to IAM & Admin > Service Accounts in the GCP Console
- Click “Create Service Account”
- Provide a name and description for the service account
- Click “Create and Continue”
-
Assign Required Permissions: The service account must have the following permissions:
backupdr.backupPlans.list– List backup plansbackupdr.backupVaults.list– List backup vaultsbackupdr.bvbackups.list– List backupsbackupdr.bvdataSources.list– List backup data sourceslogging.logEntries.list– List log entries
You can create a custom role with these permissions or use predefined roles that include them.
-
Generate Service Account Key:
- Select the created service account
- Go to the “Keys” tab
- Click “Add Key” > “Create new key”
- Select “JSON” format
- Download and securely store the credentials file
3. Configure Log Viewer
- Navigate to Logging > Logs Explorer in the GCP Console
- Ensure that the Log Viewer is properly configured to capture Backup and DR logs
- Verify that log retention policies meet your requirements
- Set up appropriate log filters if needed
4. Configure the Importer
To configure the FenixDFA GCP Backup and DR Importer, provide the following details:
Configuration
project_id // GCP Project ID (e.g., "my-project-123456")
location // GCP Region (e.g., "us-east4", "europe-west1")
credentials_file // content from JSON credentials file
Service Account Credentials File Structure
The JSON credentials file should contain the following structure:
{
"type": "service_account",
"project_id": "your-project-id",
"private_key_id": "key-id",
"private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
"client_email": "service-account@your-project-id.iam.gserviceaccount.com",
"client_id": "client-id",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/..."
}
Security Best Practices
-
Credential Management:
- Store the service account JSON file in a secure location
- Restrict file permissions to authorized users only
- Consider using secret management services for production environments
-
Principle of Least Privilege:
- Grant only the minimum required permissions
- Regularly review and audit service account permissions
-
Monitoring:
- Enable audit logs for all Backup and DR operations
- Set up alerts for unauthorized access attempts
- Monitor service account usage patterns
Troubleshooting
Common Issues
-
Permission Denied Errors:
- Verify that all required permissions are granted to the service account
- Check if the service account is active and not disabled
-
Invalid Credentials:
- Ensure the JSON credentials file is not corrupted
- Verify the service account key has not expired
-
Location Not Found:
- Confirm that the specified location is valid and available
- Check if Backup and DR service is available in the selected region
-
Missing Logs:
- Verify that Cloud Logging API is enabled
- Check log retention settings
- Ensure the service account has logging permissions
Support
For additional support or questions regarding the integration, please contact the FenixDFA support team.