Deploy SEM on Google Cloud Platform (GCP)

To deploy Security Event Manager (SEM) on Google Cloud Platform (GCP), perform the following procedures:

Prerequisites

• Confirm the shielded VM policy is not enforced (SEM does not support it).

• Confirm you have access to Google Cloud with the permissions listed in the table below.

  Action	Recommended Roles
  Create bucket	Storage Admin
  Manage bucket objects	Storage Object Admin
  Use Migrate to Virtual Machines to import images	VM Migration Administrator
  Create VM instance and virtual disks	Compute Instance Admin (v1)
  Create network and add firewall rules	Compute Network Admin

Use command line steps

If using command line steps:

• Install gcloud locally. For instructions, see Install the gcloud CLI.

• Run gcloud init beforehand, authorizing and setting defaults, like project, region, and zone.

• In Notepad, customize required variables with your own values and copy-paste them from Notepad to PowerShell to initialize the variables.

  Click for command line variables.

  # Stop the execution if any of commands fail
  $ErrorActionPreference = "Stop"
  
  $OVA_PATH = "${env:USERPROFILE}\Downloads\SolarWinds-SEM-2024.4-Appliance-VMWare.ova" # local path to downloaded SEM appliance OVA file
  $OVA_EXTRACTED_DIR = "${env:TEMP}\OVA" # local temp dir to hold extracted OVA contents
  $GS_BUCKET = "gs://sem-temp" # bucket to where SEM virtual disks will be uploaded
  $REGION = "$( gcloud config get-value compute/region )" # your region
  $ZONE = "$( gcloud config get-value compute/zone )" # your zone
  $PROJECT = "$( gcloud config get-value project )" # your project
  $NETWORK = "sem-vpc" # your network where SEM should be deployed
  $NETWORK_TIER = "STANDARD" # desired network tier for Cloud NAT
  $SUBNET = "sem-subnet" # your subnet where SEM should be deployed
  $SUBNET_RANGE = "10.0.0.0/24" # your subnet address range
  $INSTANCE_NAME = "sem-appliance" # name of the SEM VM instance
  $MACHINE_TYPE = "e2-standard-2" # desired machine type, see SEM requirements
  $SYS_IMAGE_NAME = "sem-system" # name of imported SEM system image
  $SYS_DISK_TYPE = "pd-balanced" # system (boot) disk type
  $DATA_IMAGE_NAME = "sem-data" # name of imported SEM data image
  $DATA_DISK_TYPE = "pd-balanced" # data (logs) disk type
  $DATA_DISK_SIZE = 228 # data disk size (in GB), 228 is a minimum allowed
  $INGRESS_RANGES = $SUBNET_RANGE # allowed source ranges for ingress traffic, comma separated
  $EGRESS_RANGES = $SUBNET_RANGE # allowed destination ranges for egress traffic, comma separated
  $INGRESS_RULES = "tcp:22,tcp:443,tcp:37890,tcp:37891,tcp:37892" # firewall ingress rules, see SEM port requirements
  $FW_TARGET_TAG = "sem-appliance" # target instance tag to apply firewall rules to

Upload SEM disks to Google Cloud Storage (GCS)

1. Download the SEM distribution OVA file from the SolarWinds Customer Portal.

2. Open the downloaded OVA file with a zip archiver (for example, 7Zip or tar) and extract *.vmdk files (for example, lem-disk1.vmdk, lem-disk2.vmdk).

   Click for PowerShell code.

   # Check OVA file exists
   if (-not (Test-Path -Path $OVA_PATH)) {
       Write-Host "Error: OVA file '$OVA_PATH' does not exist."
       return
   }
   
   # Remove dir if exists
   Remove-Item -Path $OVA_EXTRACTED_DIR -Recurse -Force -ErrorAction SilentlyContinue
   
   # Create temp dir to hold OVA contents
   New-Item -ItemType Directory -Path $OVA_EXTRACTED_DIR -Force | Out-Null
   
   # Extract OVA contents to temp dir
   tar -xf $OVA_PATH -C $OVA_EXTRACTED_DIR
   

3. (Optional) Create a GCS bucket.

   1. Go to Cloud Storage > Buckets.

   2. Click Create.

   3. Enter a globally unique name for your bucket (for example, sem-temp).

   4. Under Location type, select the region where you want your data stored (for example, europe-west3).

   5. Scroll to the end of the form and click Create.

   6. If prompted, check Enforce public access prevention on this bucket, and click Confirm.

      Click for PowerShell code.

      # Create GCS bucket
      gsutil mb -l $REGION $GS_BUCKET
      

4. Upload the VMDK files to your bucket.

   1. On the bucket toolbar, click Upload > Upload files.

   2. In the folder with your extracted OVA file, select lem-disk1.vmdk and lem-disk2.vmdk.

   3. Wait for the upload to finish and for both files to appear in the bucket (this can take a while).

      Click for PowerShell code.

      # Check OVA file exists
      if (-not (Test-Path -Path $OVA_PATH)) {
          Write-Host "Error: OVA file '$OVA_PATH' does not exist."
          return
      }
      
      # Remove dir if exists
      Remove-Item -Path $OVA_EXTRACTED_DIR -Recurse -Force -ErrorAction SilentlyContinue
      
      # Create temp dir to hold OVA contents
      New-Item -ItemType Directory -Path $OVA_EXTRACTED_DIR -Force | Out-Null
      
      # Extract OVA contents to temp dir
      tar -xf $OVA_PATH -C $OVA_EXTRACTED_DIR
      

Import SEM virtual disks as images using Migrate to Virtual Machines

1. Go to Compute Engine > Migrate to Virtual Machines.

2. If prompted, enable Migrate to Virtual Machines services.

   Click for PowerShell code.

   # Enable services needed for VM Migration
   gcloud services enable vmmigration.googleapis.com servicemanagement.googleapis.com servicecontrol.googleapis.com iam.googleapis.com cloudresourcemanager.googleapis.com compute.googleapis.com
   

3. Go to the Targets tab, and ensure your current project is listed. If not, click Add and select your project to add it.

4. Grant bucket access permissions for the Migrate to Virtual Machines default service account.

   1. Copy the Migrate to Virtual Machines default service account (for example, service-123456789@gcp-sa-vmmigration.iam.gserviceaccount.com), written above the Target projects label.

   2. Go to Cloud Storage > Buckets.

   3. Click your bucket (for example, sem-temp) and click the Permissions tab.

   4. Click Grant Access and in the New principals field, paste the Migrate to Virtual Machines default service account you previously copied.

   5. In the Select a role field, select Storage Object Viewer.

   6. Click Save.

      Click here for PowerShell code.

      $SA = "service-123456789@gcp-sa-vmmigration.iam.gserviceaccount.com" # specify your service account used for VM migration service $ROLE = "objectViewer
      
      # Grant VM Migration Service Account permissions to access your bucket
      gsutil iam ch "serviceAccount:${SA}:${ROLE}" $GS_BUCKET

5. Go to Compute Engine > Migrate to Virtual Machines > Image Imports tab.

6. Click Create Image.

   1. In the Name field, enter an image name that corresponds to the virtual disk being imported (for example, sem-system and sem-data for lem-disk1 and lem-disk2).

   2. In the Source Cloud Storage file, select the virtual disk (for example, lem-disk1.vmdk and lem-disk2.vmdk) from your bucket.

   3. In the Region field, select your region (for example, europe-west3).

   4. In the Target project field, ensure the correct Target project is selected (it should correspond to the project where you want to import SEM images).

   5. Switch on Skip OS adaptation.

   6. Click Create.

   7. Wait until both sem-system (lem-disk1.vmdk) and sem-data (lem-disk2.vmdk) are imported successfully (this can take a while).

   8. After the images are successfully imported, select both imports and click Delete (this only deletes the import job, not the images themselves).

7. Repeat step 6 for your second virtual disk.

(Optional) Create a VPC and subnet for SEM

If you already have your network, and you want to deploy SEM into it, skip this step.

1. Go to VPS Network > VPC networks.

2. Click Create VPC Network.

3. Enter a name for your network (for example, sem-vpc).

4. Scroll to the Subnets tab and click Add Subnet.

   1. Enter a name for your subnet (for example, sem-subnet).

   2. Select Region for your subnet (for example, europe-west3).

   3. Type IPv4 range (for example, 10.0.0.0/24).

   4. Click Done.

5. Click Create.

   Click here for PowerShell code.

   # Create a network where SEM will be deployed
   gcloud compute networks create $NETWORK `
       --project=$PROJECT `
       --subnet-mode=custom `
       --bgp-routing-mode=regional `
       --mtu=1460
       
   # Create a subnet where SEM will be deployed
   gcloud compute networks subnets create $SUBNET `
       --project=$PROJECT `
       --network $NETWORK `
       --region $REGION `
       --range $SUBNET_RANGE
   

Configure firewall rules for SEM appliance

The default values provided below illustrate basic SEM appliance ingress traffic, like SSH, HTTPS, and agent communications, in a scope of local network. It uses a target tag that can be put to a specific VM instance to apply these rules to.

1. Click the name of your network (for example, sem-vpc).

2. Go to Firewalls tab and click Add Firewall Rule.

3. For ingress rule:

   1. Enter the name of your rule (for example, allow-sem-appliance-ingress).

   2. For Direction of traffic, select Ingress.

   3. For Targets, select Specified target tags.

   4. Enter Target tags (for example, sem-appliance).

   5. For Source filter, select IPv4 ranges.

   6. Enter Source IPv4 ranges that should be allowed to connect to SEM appliance (for example, 10.0.0.0/24).

   7. For Protocol and ports, select Specified protocols and ports.

   8. Check TCP and enter ports that should be allowed, separated by comma (for example, 22,443,37890,37891,37892).

   9. Click Create.

      Click here for PowerShell code.

      # Create ingress rules for SEM
      gcloud compute firewall-rules create allow-sem-appliance-ingress `
          --direction=INGRESS `
          --priority=1000 `
          --network=$NETWORK `
          --action=ALLOW `
          --rules=$INGRESS_RULES `
          --source-ranges=$INGRESS_RANGES `
          --target-tags=$FW_TARGET_TAG

Configure Cloud NAT gateway for outbound connections from the SEM private VM

SEM VM is deployed without a public IP address, meaning, it can't be reached from the internet and SEM itself can't reach the internet. SEM relies on multiple external resources that are part of SEM functionality, in particular:

• Threat Intelligence: Fetches a database of vulnerable IP addresses from external resource

• Connector Updates: Updates the connectors with new releases from SolarWinds resource

• Microsoft 365 monitoring: Connects to user-specified tenant on Microsoft resource

• Licensing: Online activation contacts SolarWinds resource

• SWIP: Sends anonymous usage/diagnostic data for product improvement to SolarWinds resource

In order for these resources to be reachable from SEM that does not have an external IP, Cloud NAT gateway needs to be configured, as described below:

1. Go to Network Services > Cloud NAT (or search for it from the search bar at the top).

2. Click Get started or Create Cloud NAT Gateway.

3. Set Gateway name to sem-nat-config.

4. Select Public for NAT type.

5. Select your Network where SEM VM is deployed (for example, sem-vpc).

6. Select your Region (for example, europe-west3).

7. Under Cloud Router, click Create New Router.

   1. Set Name of the router (for example, nat-router-europe-west3).

   2. Click Create.

8. Under Cloud NAT mapping section.

   1. Select VM instances, GKE nodes, Serverless for Source endpoint type.

   2. Select Primary and secondary ranges for all subnets for Source endpoint type.

   3. Select Automatic for Cloud NAT IP addresses.

   4. Select your Network Service Tier (for example, Standard).

9. Click Create.

   Click here for PowerShell code.

   # Create Cloud Router instance in your region for your network
   gcloud compute routers create "nat-router-${REGION}" `
       --network $NETWORK `
       --region $REGION
   
   # Configure the router for Cloud NAT    
   gcloud compute routers nats create sem-nat-config `
       --router-region $REGION `
       --type PUBLIC `
       --router "nat-router-${REGION}" `
       --nat-all-subnet-ip-ranges `
       --auto-allocate-nat-external-ips `
       --auto-network-tier=$NETWORK_TIER
   

Create SEM VM instance from imported images

The SEM instance is created without external address (NAT) because it is not recommended to expose SEM to the internet.

1. Go to Compute Engine > Images.

2. Find and click the name of the previously imported system image (for example, sem-system).

3. Click Create Instance.

4. Enter Name (for example, sem-appliance).

5. Select your Region (for example, europe-west3) and Zone (for example, europe-west3-c).

6. Under Machine configuration, select Machine type (for example, e2-standard-2). See SEM system requirements for hardware requirements.

7. Scroll to Advanced options and expand Networking.

   1. Enter Network tags (for example, sem-appliance).

   2. Under Network interfaces, select your Network (for example, sem-vpc) and Subnetwork (for example, sem-subnet).

   3. For External IPv4 address, select None.

8. Expand Disks and backups section.

   1. Click Add New Disk.

   2. In the Name field, enter a name for the new disk (for example, sem-data).

   3. For Disk source type, select Image.

   4. For Source image, select your SEM data image (for example, sem-data).

   5. For Disk type, select the applicable disk type (for example, Balanced persisted disk).

   6. For Size, select applicable size for SEM data disk (for example, 228).

   7. Click Save.

   8. Click Create.

      Click here for PowerShell code.

      # Create SEM VM instance
      gcloud compute instances create $INSTANCE_NAME `
          --project=$PROJECT `
          --zone=$ZONE `
          --machine-type=$MACHINE_TYPE `
          --network-interface="network=${NETWORK},subnet=${SUBNET},stack-type=IPV4_ONLY,no-address" `
          --tags=$FW_TARGET_TAG `
          --create-disk="auto-delete=no,boot=yes,device-name=sem-system,image=projects/${PROJECT}/global/images/${SYS_IMAGE_NAME},mode=rw,size=22,type=${SYS_DISK_TYPE}" `
          --create-disk="auto-delete=no,boot=no,device-name=sem-data,image=projects/${PROJECT}/global/images/${DATA_IMAGE_NAME},mode=rw,size=${DATA_DISK_SIZE},type=$DATA_DISK_TYPE"
      
      # Get the internal IP
      $internalIp = $(gcloud compute instances describe $INSTANCE_NAME --format='get(networkInterfaces[0].networkIP)')
      Write-Host "SEM appliance internal IP: $internalIp. Use jump-box, IAP or VPN to access SSH and Web UI."
      Write-Host "Example: using jump-box, access SSH with 'ssh cmc@$internalIp' or Web UI using browser at URL 'https://$internalIp'."
      

Clean up virtual disk images

1. Clean up the local extracted OVA temp directory.

   Click here for PowerShell code.

   # Cleanup directory with extracted OVA
   Remove-Item -Path $OVA_EXTRACTED_DIR -Recurse -Force
   

2. Clean up the virtual disk images from your GS bucket.

   1. Go to Cloud Storage > Buckets.

   2. Click the name of your bucket (for example, sem-appliance).

   3. Select both SEM virtual disks (for example, lem-disk1.vmdk and lem-disk2.vmdk).

   4. Click Delete and confirm it, if prompted.

      Click here for PowerShell code.

      # Cleanup virtual disk images from GS bucket
      gsutil rm "$GS_BUCKET/lem-disk1.vmdk" "gs://$gsBucket/lem-disk2.vmdk"
      

3. (Optional) Delete your temporary GS bucket.

   1. Go back to Buckets.

   2. Select your bucket (for example, sem-temp).

   3. Click Delete and confirm the deletion, if prompted.

      Do not delete your own bucket you actually use to store different objects. ONLY delete the buckets created to temporarily store SEM virtual disks.

      Click here for PowerShell code.

      # Delete temporary GS bucket
      gsutil rm $GS_BUCKET

Access, manage, and troubleshoot SEM appliance

1. Use bastion-host (jump-box), IAP or VPN to access SSH (CMC user) and Web UI (over HTTPS ).
2. Connect via SSH as CMC user using the default password, and change the CMC password to your own. The support key can also be seen under CMC user screen.
3. Access the Web UI from the browser, where you need to on-board before starting to use SEM.

Access BSOL over serial port connection

For troubleshooting, especially if SSH connection does not work, an interactive BSOL (Blue Screen of Life) can be accessed under serial port connection (if serial port is enabled). When deployed on Google Cloud, SEM exposes interactive BSOL on /dev/ttyS0, which corresponds to VM port 1.

Accessing serial console from a browser requires IAP or SSH to be allowed for everyone, for example, 0.0.0.0/0.

To use serial port connection for troubleshooting, follow these steps:

1. Temporarily allow serial port connection for the project (if the opposite is enforced).

   Click here for PowerShell code.

   # Temporary allow serial port connection for project
   gcloud resource-manager org-policies disable-enforce \
       --project $PROJECT compute.disableSerialPortAccess
   

2. Temporarily enable serial port connection for the VM instance.

   1. Go to Compute Engine > VM Instances.

   2. Click the name of your SEM instance (for example, sem-appliance).

   3. Click Edit.

   4. Under the Remote access section, toggle the Enable connecting to serial ports checkbox.

   5. Click Save.

      Click here for PowerShell code.

      # Temporary enable serial port connection for VM instance
      gcloud compute instances add-metadata $INSTANCE_NAME \
          --metadata serial-port-enable=TRUE
      

3. Access the BSOL on a serial port 2 to troubleshoot (further logging in as CMC or root).

   Click here for PowerShell code.

   # Access the interactive BSOL on serial port 1
   gcloud compute --project=$PROJECT connect-to-serial-port $INSTANCE_NAME --zone=$ZONE --port=1
   

4. After troubleshooting is done, disable the serial port connection for the VM (follow step 2) and restore the project policy (if it was initially enforced).

   Click here for PowerShell code.

   # Disallow serial port connection for project (if it was disallowed initially)
   gcloud resource-manager org-policies enable-enforce \
       --project $PROJECT compute.disableSerialPortAccess
   
   # Disallow serial port connection for VM instance
   gcloud compute instances add-metadata $INSTANCE_NAME \
       --metadata serial-port-enable=FALSE