Use Cases to Scan GCP Environment

The following are a few common use cases for scanning a GCP environment. You must configure your virtual Scanner Appliance to communicate with the Qualys Enterprise TruRisk™ Platform over HTTPS (via firewall rules and proper routing).

Single Scanner Appliance to scan Multiple instances in a VPC in a Single Region
Multiple scanners to scan multiple instances in a VPC in a single region
Single scanner to scan multiple instances across subnets in different regions in a VPC
Multiple scanners to scan multiple instances across subnets in different regions in a VPC
Single scanner to scan multiple instances across subnets in different regions across peered VPCs
Multiple scanners to scan multiple instances across subnets in different regions across peered VPCs
Scanner cannot scan instances in non-peered VPC
Scanner cannot scan instances in VPCs with overlapping IP address

Single scanner to scan Multiple instances in a VPC in a Single Region

A single Qualys Scanner Appliance can be configured to scan multiple GCP VM instances running in a single VPC in a single region. vpc_single_region

Multiple Scanners to Scan Multiple Instances in a VPC in a Single Region

Based on the number of VM Instances and scan frequency, multiple scanners might be required to scan multiple VM Instances in a subnet in a VPC. You can add more scanners based on requirements.

multiple_vpc

Single Scanner to Scan Multiple Instances Across Subnets in Different Regions in a VPC

A single scanner can reach multiple VM instances across different subnetworks in different regions within a single VPC.

multiple_instances

Multiple Scanners to Scan Multiple Instances Across Subnets in Different Regions in a VPC

Based on the number of VM instances and scan frequency, multiple scanners might be required to scan multiple VM instances across subnets in different regions in a VPC. You can add more scanners based on requirements.

multiple_scanners_different_regions

Single Scanner to Scan Multiple Instances Across Subnets in Different Regions Across Peered VPCs

A single scanner can reach multiple VM instances in different regions and subnets in a peered VPC.

peered_vpc

Multiple Scanners to Scan Multiple Instances Across Subnets In Different Regions Across Peered VPCs

Based on the number of machines and scan frequency, multiple scanners might be required to scan multiple VM instances across peered VPCs in different regions.

across_peered_vpcs

Scanner Appliance Cannot Scan Instances In Non-Peered VPC

The scanner's reachability is curtailed if the VPCs are not peered. In non-peered VPCs, scanners cannot reach the VM instances to launch a scan.

non_peered_vpc

Scanner Appliance Cannot Scan Instances in VPCs with Overlapping IP Address

Due to reachability issues, a single scanner cannot scan VM instances in VPCs with overlapping IP addresses. Add more Scanner Appliances based on your requirements to allow scanning across VPC boundaries.

In the case of regions displayed in the sample screenshot, VPC peering cannot be configured between VPC-A and VPC-B. So, in this case, the Scanner Appliance in VPC-A cannot reach VM instances in VPC-B as VPC-A and VPC-B have one overlapping IP Address (10.20.0.0/20).

To understand the scanning procedure, see Scanning Assets.