Overview

This guide provides step-by-step instructions for installing and configuring Enigma’s traffic analysis solution in your Google Cloud Platform (GCP) environment. The Enigma solution enables comprehensive monitoring and analysis of network traffic to enhance your cybersecurity posture.

Architecture

The Enigma solution’s architecture consists of:

1. Traffic Sources: Your existing VMs and resources in GCP that generate network traffic
2. Packet Mirroring: GCP’s built-in capability to copy network traffic without service disruption
3. Enigma Collector(s): Specialized VM instances that process and analyze network traffic
4. Enigma AI Dashboard: Web interface for viewing analysis results and security insights

Prerequisites

Before beginning the installation, ensure you have:

• A GCP account with appropriate permissions to:
  • Create and modify VPC networks and subnets
  • Create and configure VM instances
  • Configure load balancers
  • Set up packet mirroring policies
• An existing VPC network with running workloads
• Your unique Employee ID provided by your Enigma representative

Deployment Options

Enigma offers three deployment options to accommodate different organizational needs:

Option 1: Dedicated Subnet Deployment (Standard)

Overview: Deploy the Enigma collector in a dedicated subnet within your existing VPC.

Advantages:

• Clean separation prevents recursive traffic capture
• Simple to implement and maintain
• Clear network boundaries
• Minimal configuration changes to existing infrastructure

Technical Architecture:

• Existing VPC with workload subnet(s)
• New dedicated subnet for Enigma collector
• Within the same GCP region

Option 2: Dedicated VPC Deployment (Enhanced Isolation)

Overview: Deploy the Enigma collector in a completely separate VPC dedicated to security monitoring.

Advantages:

• Complete isolation of security monitoring infrastructure
• Can monitor multiple VPCs from one central location
• Enhanced security control and governance
• Follows security best practices for isolation

Technical Architecture:

• New security-focused VPC for Enigma
• VPC peering between existing VPC(s) and security VPC
• Cross-VPC packet mirroring configuration

Option 3: Multi-Region Deployment (Global Coverage)

Overview: Deploy multiple Enigma collectors across different GCP regions for distributed environments.

Advantages:

• Minimizes cross-region data transfer costs
• Provides regional data sovereignty options
• Optimizes for performance with local traffic analysis
• Comprehensive coverage across geographic locations

Technical Architecture:

• Multiple regional deployments (either as separate subnets or VPCs)
• Region-specific packet mirroring policies
• Distributed collection with centralized visibility

Deployment Instructions

Option 1: Dedicated Subnet Deployment (Standard)

Follow these steps to deploy the Enigma collector in a dedicated subnet within your existing VPC:

1. Create Collector Subnet

1. Navigate to VPC network > VPC networks
2. Select your existing VPC and go to the Subnets tab
3. Click Add subnet
4. Configure the subnet:
   • Name: enigma-collector-subnet
   • Region: Same as your existing subnet(s)
   • IP address range: Choose an available CIDR block (e.g., 10.0.2.0/24)
   • Private Google access: Enabled (recommended)
5. Click Create

2. Create Collector VM Instance

1. Go to Compute Engine > VM instances
2. Click Create instance
3. Configure the instance:
   • Name: enigma-collector
   • Region/Zone: Same as your workload subnet
   • Machine type: e2-medium (minimum recommended)
   • Boot disk: Ubuntu 20.04 LTS, CentOS 7, or Rocky Linux 8
   • Network: Your existing VPC
   • Subnetwork: The collector subnet created in step 1
   • Network tags: Add enigma-collector tag for firewall rules
4. Click Create

3. Install Enigma Agent

Based on the VM’s OS please use one of the following docs to install Enigma Agent on the VM:

• Ubuntu/Debian Agent Install

4. Configure Packet Mirroring

1. Go to VPC network > Packet mirroring
2. Click Create packet mirroring policy
3. Configure the policy:
   • Name: enigma-traffic-mirror
   • Region: Same as your VM instances
   • Network: Your VPC
   • Source: Your workload subnet(s)
   • Mirrored traffic: All traffic (or configure filters as needed)
   • Collector: The Enigma collector VM
4. Click Create

Option 2: Dedicated VPC Deployment (Enhanced Isolation)

1. Create Security VPC

1. Navigate to VPC network > VPC networks
2. Click Create VPC network
3. Configure the VPC:
   • Name: enigma-security-vpc
   • Description: “Dedicated VPC for Enigma security monitoring”
   • Subnet creation mode: Custom
4. Add a subnet:
   • Name: enigma-collector-subnet
   • Region: Same as your existing workload subnets
   • IP address range: Choose a non-overlapping CIDR block
5. Click Create

2. Configure VPC Peering

1. Go to VPC network > VPC network peering
2. Click Create connection
3. Configure the first peering connection:
   • Name: workload-to-security-peering
   • Your VPC network: Your existing workload VPC
   • VPC network to peer with: enigma-security-vpc
   • Import/Export custom routes: Enabled
4. Click Create
5. Create the reverse peering connection:
   • Name: security-to-workload-peering
   • Your VPC network: enigma-security-vpc
   • VPC network to peer with: Your existing workload VPC
   • Import/Export custom routes: Enabled
6. Click Create

3. Create Collector VM Instance

1. Go to Compute Engine > VM instances
2. Click Create instance
3. Configure the instance:
   • Name: enigma-collector
   • Region/Zone: Same as your workload VMs
   • Machine type: e2-medium (minimum recommended)
   • Boot disk: Ubuntu 20.04 LTS, CentOS 7, or Rocky Linux 8
   • Network: enigma-security-vpc
   • Subnetwork: enigma-collector-subnet
4. Click Create

4. Install Enigma Agent

1. SSH into the collector VM
2. Install the Enigma agent as described in Option 1, Step 3

5. Configure Packet Mirroring

1. Go to VPC network > Packet mirroring
2. Click Create packet mirroring policy
3. Configure the policy:
   • Name: enigma-traffic-mirror
   • Region: Same as your VM instances
   • Network: Your workload VPC
   • Source: Your workload subnet(s)
   • Mirrored traffic: All traffic (or configure filters as needed)
   • Collector: The Enigma collector VM (in the security VPC)
4. Click Create

Option 3: Multi-Region Deployment (Global Coverage)

1. Identify Regions for Deployment

First, identify all regions where you have workloads that need monitoring:

1. Make a list of all regions with active workloads
2. Note the VPC networks and subnets in each region
3. Plan collector subnet CIDR blocks for each region

2. Create Regional Collector Subnets

For each region:

1. Navigate to VPC network > VPC networks
2. Select your VPC and go to the Subnets tab
3. Click Add subnet
4. Configure the subnet:
   • Name: enigma-collector-subnet-REGION (replace REGION with region name)
   • Region: The specific region
   • IP address range: Choose an available CIDR block
5. Click Create

3. Create Regional Collector VM Instances

For each region:

1. Go to Compute Engine > VM instances
2. Click Create instance
3. Configure the instance:
   • Name: enigma-collector-REGION
   • Region/Zone: The specific region
   • Machine type: e2-medium (minimum recommended)
   • Boot disk: Ubuntu 20.04 LTS, CentOS 7, or Rocky Linux 8
   • Network: Your VPC
   • Subnetwork: The regional collector subnet
4. Click Create

4. Install Enigma Agent on Each Collector

For each region:

1. SSH into the collector VM
2. Install the Enigma agent as described in Option 1, Step 3

5. Configure Regional Packet Mirroring

For each region:

1. Go to VPC network > Packet mirroring
2. Click Create packet mirroring policy
3. Configure the policy:
   • Name: enigma-traffic-mirror-REGION
   • Region: The specific region
   • Network: Your VPC
   • Source: The workload subnets in this region
   • Mirrored traffic: All traffic (or configure filters as needed)
   • Collector: The regional collector VM
4. Click Create

Advanced Configuration Options

Load Balancer for High Availability

For production environments requiring high availability, you can deploy collectors behind a load balancer:

1. Create a managed instance group with multiple collector VMs
2. Configure a health check
3. Set up an internal load balancer
4. Point the packet mirroring to the load balancer instead of individual VMs

Firewall Rules

To secure your Enigma deployment, configure these recommended firewall rules:

1. Allow Enigma collector outbound access:
   • Direction: Egress
   • Targets: Instances with enigma-collector tag
   • Destination: 0.0.0.0/0
   • Protocols and ports: TCP:443
2. Allow SSH access to Enigma collector:
   • Direction: Ingress
   • Targets: Instances with enigma-collector tag
   • Source: Your admin workstations or bastion host
   • Protocols and ports: TCP:22

IAM Permissions

Ensure the service account used by the Enigma collector has:

• Compute Network Viewer role
• Logs Writer role

6. Install the Enigma Agent

Based on the VM’s OS please use one of the following docs to install Enigma Agent on the VM:

• Ubuntu/Debian Agent Install

7. Access the Enigma AI Dashboard

After installation is complete, you’ll need to set up access to the Enigma AI dashboard:

1. Contact your Enigma account representative to provide email addresses for users who need dashboard access
2. Users will receive account setup instructions via email
3. Follow the instructions to set up multi-factor authentication (MFA)
4. Log in to the Enigma AI dashboard at https://enigmaai.net/

Verification Steps

1. Check VM Status:
   • Ensure all collector VMs are running
   • Verify they can access the internet
2. Verify Agent Installation:
   • SSH into collector VMs
   • Check the Enigma agent logs: sudo tail -f /opt/enigma/log/capture.log
   • Look for successful packet captures and processing
3. Verify Packet Mirroring:
   • Go to VPC network > Packet mirroring
   • Check that your policy status is “Running”
   • Ensure there are no errors in the status details
4. Access the Enigma Dashboard:
   • Log in to the Enigma AI dashboard at https://enigmaai.net/
   • Verify that data is being received

Common Issues and Solutions

1. No Traffic in Dashboard:
   • Verify packet mirroring is correctly configured
   • Check that the collector VM has internet access
   • Ensure the Enigma agent is running properly
2. Agent Installation Failures:
   • Verify your VM has internet access
   • Ensure you’re using a supported OS version
   • Check you have sufficient permissions
3. Packet Mirroring Errors:
   • Verify subnet and region configurations match
   • Check VPC peering status (for Option 2)
   • Ensure firewall rules allow mirrored traffic
4. VPC Peering Issues:
   • Verify both sides of the peering are active
   • Check for overlapping IP ranges
   • Ensure routing is properly configured