Installing the Data Processor in GCP Using Separate DL-m/DA-m VMs

This topic describes how to deploy the data processor (DP) with separate Data Lake Master (DL-m) and Data Analyzer Master (DAm) VMs in GCP. This model also provides optional cluster support for deployment of additional DL and DA worker nodes as you need to scale up capacity and retention.

You can also deploy the DP as an all-in-one (AIO), with both the DL and the DA on the same VM. However, this model does not provide the efficiency and scalability of installing components on separate VMs. Stellar Cyber recommends using either the standard model described here or scaling up to a cluster.

Deployment Summary

Deployment of Stellar Cyber in GCP using separate DL-m and DA-m VMs consists of the following major steps:

Before You Begin

Make sure the target system meets the minimum system requirements for installing a DP. The installation requires:

You must have a GCP account with sufficient budget authorization to deploy Stellar Cyber. The instance must have:
GCP Security Groups
Management IP addresses for all VMs:
- 1 public IP address for each non- clustered DP (for management access).
- 2 public IP addresses for each DP in a cluster (1 for management access, and 1 for the cluster).
- 1 public IP address for each security sensor (SS), if the SS will be receiving packets or logs from a sensor or application outside of GCP.
Open ports on your firewall
Login credentials and One Time Password (OTP) from Stellar Cyber

The internal network of the DP uses the 172.17.0.0/16 and 10.244.x.0/24 subnets. If you use these subnets elsewhere in your network, change them to avoid conflicts. If you cannot change them, contact Stellar Cyber technical support.

Firewall Ports

You must open ports on your firewall for communication.

If you configure the DP as a cluster, all nodes must be in the same VPC, and all ports between the nodes must be open.

Open All TCP Ports Between Internal Addresses of Clustered VMs

All TCP ports must be open between the internal network addresses of cluster VMs. For example, if the DL-m is on 172.31.7.0/24 and the DA-m is on 172.31.10.0/24:

The DL-m must have a rule that allows all inbound TCP traffic from the 172.31.10.0/24 subnet.
The DA-m must have a rule that allows all inbound TCP traffic from the 172.31.7.0/24 subnet.

Stellar Cyber recommends that you add a firewall rule to allow all for clustered VMs (or just the DA and DL VMs in a standard deployment) and set the priority of that rule higher than the standard rule for the VPC.

One Time Password

Contact Stellar Cyber support (support@stellarcyber.ai) for login credentials and a one-time password (also known as a License Key).

You will need to provide:

The GCP Console login email
The GCP region for the DP, security sensors, and network sensors

Complete this step at least a day before installing so Stellar Cyber has enough time to deploy the images to your region.

After license activation, you can find the OTP for your installation in the Licensing page.

Minimum System Requirements

Selecting GCP Machine Types for Stellar Cyber VMs

Select GCP Machine Types for Stellar Cyber VMs based on your planned data ingestion.

Each DL instance should have at least:

Instance: e2-highmem-16
CPUs: 16
Memory: 128 GB
Boot Disk: 512 GB (SSD)
Storage Disk: 1024-2048 GB

Each DA instance should have at least:

Instance: e2-standard-16
CPUs: 16
Memory: 64 GB
Boot Disk: 512 GB (SSD)

Configure the number of Data Analyzers and Data Lakes based on your ingestion requirements:

Data Ingestion (GB)	Data Replica?	DA Count	DL Count	Tenants	Reports	ATH Playbooks	Concurrent Sessions	Notes
50	N/A	N/A	1	10	10	100	5	AIO
100 – 250	N/A	1	1	25	100	1000	15	Without multi-tenancy, can support 300 GB ingestion
300	N/A	1	2	50	100	1000	15
350	N/A	2	2	50	100	1000	15
500	No	2	2	75	200	1500	20	MDS mode required
600	No	2	3	75	300	2000	30
900	No	3	4	100	400	3000	45
400	Yes	2	3	75	300	2000	30
600	Yes	2	4	100	400	3000	45
800	Yes	3	4	100	400	2000	45	MDS mode enabled