This article covers the integration of Kentik with the Google Cloud Platform (GCP).
.png?sv=2022-11-02&spr=https&st=2025-09-15T18%3A09%3A32Z&se=2025-09-15T18%3A25%3A32Z&sr=c&sp=r&sig=oSpTAze%2Bk%2FsnXD7lWqFQh7w%2F0EudN9vikGyhMHTW0OQ%3D)
Combining GCP and on-prem resources into a hybrid cloud
Note: See the Cloud Overview for an introduction to Kentik cloud setup.
Process Overview
Integrating GCP with Kentik involves setting up both the GCP environment and the Kentik portal to collect metadata, flow logs, Cloud Run logs, or metrics from Virtual Private Clouds (VPCs). Here's how the process works:
Activate flow logs for desired VPC subnets and set up log export to a cloud Pub/Sub topic.
Create and grant access to a pull subscription for Kentik to request entries from the Pub/Sub topic.
Follow the steps in Grant Metadata Access (GCP) to display your GCP resources in the Kentik Map.
Configure a new "cloud export" to ingest data from GCP.
Once the setup is complete, you can use the Kentik portal to:
Monitor your GCP network traffic.
Visualize resource utilization.
Gain insights for optimizing network performance and enhancing security monitoring.
Note: See Google’s Cloud VPC Documentation for more details:
Logging Setup (GCP)
To set up flow log export from GCP, follow these topics.
Process Options
GCP users can set up flow logs and cloud Pub/Sub using:
GCP Console: Manage resources through a UI (see GCP Console).
Gcloud compute: A command-line tool for resource management (see gcloud compute).
Compute Engine API: A REST API for creating and running VMs (see Compute Engine API).
Note: This guide covers the use of the GCP console only.
Enable VPC Flow Logs.png?sv=2022-11-02&spr=https&st=2025-09-15T18%3A09%3A32Z&se=2025-09-15T18%3A25%3A32Z&sr=c&sp=r&sig=oSpTAze%2Bk%2FsnXD7lWqFQh7w%2F0EudN9vikGyhMHTW0OQ%3D)
To enable VPC flow logs for existing subnets in GCP:
Ensure the current project is selected in the console.
Click the menu icon and go to Networking » VPC Network » VPC Networks
Find and click the subnet (e.g., "default") you want to monitor.
On the Subnet details page, click Edit.
Set the flow logs to “On”.
Click Configure Logs, then check Include metadata to allow Kentik to ingest flow logs
Adjust these settings as needed:
Aggregation interval: Any interval is supported
Sample rate: Adjust between 0% and 100%. Default is 50%.
Note: Check Estimated logs generated per day for cost impact
Click Save.
Note: For more details, see Google’s Cloud VPC Documentation:
Create a New Topic
To configure logging and create a new Pub/Sub topic in GCP:
Ensure you're in the correct project, then click the menu icon and go to Operations » Logging » Logs Router
Click Create Sink, then enter a Name and Description under Sink details.
In Sink destination, select Cloud Pub/Sub topic as the sink service.
Click Create a Topic, enter a Topic ID (name), and click Create Topic.
In Choose logs to include, enter the filter in Build inclusion filter:
resource.type="gce_subnetwork" AND log_id("compute.googleapis.com/vpc_flows")
Click Preview Logs to open Logs Explorer in a new tab and view the logs included in the sink.
If logs are incorrect, adjust the inclusion filter. If correct, click Next.
Optional: If you need to exclude specific logs, see the Google documentation on Creating a Sink.
Click Create Sink to finish and return to the Logs Router page. The new sink will be listed and you can edit it via the Edit Sink option.
Notes:
Consider a more restrictive filter to reduce costs (e.g., specific port, protocol, subnet). See the Google documentation on Networking queries.
For more details, see Google’s Cloud VPC documentation on Overview of Logs Export and Exporting with the Logs Viewer.
Create a Pull Subscription
To set up a “pull” subscription for Kentik’s flow log collection:
Ensure you're in the correct project where the logging topic was created.
Click the menu icon on the main navbar, go to the Big Data section and choose Pub/Sub » Topics.
In the left-hand pane, find your topic and click the More icon (vertical dots) next to it.
Choose Create Subscription from the submenu.
Configure the subscription:
Subscription ID: Enter a unique name (no spaces)
Delivery type: Select “Pull”
Configure other properties as needed (refer to Google’s documentation for details)
Click Create. A confirmation popup will appear, and you'll be directed to the Subscription Details page.
Note: For more information, see Google’s Cloud VPC documentation:
Set Permissions.png?sv=2022-11-02&spr=https&st=2025-09-15T18%3A09%3A32Z&se=2025-09-15T18%3A25%3A32Z&sr=c&sp=r&sig=oSpTAze%2Bk%2FsnXD7lWqFQh7w%2F0EudN9vikGyhMHTW0OQ%3D)
To allow Kentik access to your Google Cloud subscription for flow logs, follow these steps:
Ensure you're in the correct project (see Create a Pull Subscription).
Go to the Subscriptions page via the menu Big Data » Pub/Sub » Subscriptions.
Find and click the checkbox for the topic you created. Permissions will appear on the right.
Click Add Member and enter
[email protected]
in the New members field.From the Role drop-down, find "Pub/Sub", then choose “Pub/Sub Subscriber.”
Click Add Another Role, then repeat, this time choosing “Pub/Sub Viewer.”
Click Save to confirm. A popup will indicate success.
Note: For more information, see Google’s Cloud VPC documentation on Permissions and roles.
Grant Metadata Access (GCP)
To display your GCP resources in the Kentik Map, grant metadata access to Kentik by following these steps:
Ensure you’re in the correct project, see Logging Setup (GCP).
Go to IAM & Admin » IAM via the sidebar menu.
Click Grant Access to open the drawer
Enter
[email protected]
in the Add Principals field.In the Assign Roles field, select Compute Viewer (not Compute Network Viewer).
Click Save to confirm and return to the Permissions tab.
In the View by Principals tab, ensure the service account is listed with the “Compute Viewer” role.
Notes:
Ensure you have
compute.networks.list
andresourcemanager.projects.setIamPolicy
permissions for the Google project.For projects in a folder structure, add the service account
[email protected]
as Principal at the top-level folder and assign the “Compute Viewer” role to allow nested projects to inherit permissions.
Create a Kentik Cloud Export
To create a GCP cloud export in the Kentik portal, follow these steps.
Navigate to Settings » Public Clouds.
Click Create Cloud Export.
Click GCP Cloud.
Under Observability Features, select the data types to collect:
Metadata collection (Required): Automatically selected.
Flow log collection: Select to collect flow logs.
GCP Cloud Run Log Collection: Select to create a second cloud export dedicated to collecting Cloud Run Logs (see Google's Cloud Run Logging docs).
Cloud metrics history: Select to collect GCP metrics.
Click the green arrow to proceed.
Specify the GCP project ID with the Cloud Pub/Sub topic you created for publishing flow logs from your VPC subnets (see Create a New Topic).
Provide the subscription name you created for Kentik to subscribe to your Pub/Sub topic (see Create a Pull Subscription).
Click the green arrow to proceed.
Enter a cloud export name and description or accept the default.
Choose the appropriate Kentik billing plan for the cloud export from the dropdown.
Click Save to finalize the cloud export and return to the Public Clouds page, where the new export will be listed.
.png?sv=2022-11-02&spr=https&st=2025-09-15T18%3A09%3A32Z&se=2025-09-15T18%3A25%3A32Z&sr=c&sp=r&sig=oSpTAze%2Bk%2FsnXD7lWqFQh7w%2F0EudN9vikGyhMHTW0OQ%3D)
The Public Clouds page lists the clouds registered with Kentik.
Check the status of your GCP cloud:
From the Cloud Config Status pane, click View Details to open the GCP Configuration Status page.
Check for any configuration errors (red circles).
Click an export to open the Config Status Details drawer
Note: Flow status for Metadata-only exports always shows as 'red circle' since these exports do not have flow or sampling.
.png?sv=2022-11-02&spr=https&st=2025-09-15T18%3A09%3A32Z&se=2025-09-15T18%3A25%3A32Z&sr=c&sp=r&sig=oSpTAze%2Bk%2FsnXD7lWqFQh7w%2F0EudN9vikGyhMHTW0OQ%3D)
Error reported for a cloud export that's missing permissions for metadata access.
Using Your Cloud Export
Once the setup process is complete, you can view and utilize your cloud export in Kentik:
Cloud Exports List:
Go to Settings » Public Clouds to see the updated list of cloud exports.
A new cloud export will be listed, representing the VPC subnets whose logs are pulled from the specified subscription.
Devices Column:
Each VPC subnet sending flow logs is listed as a cloud device.
Devices are named after their respective VPC subnet.
These names can be used as group-by and filter values in Kentik queries using the Device Name dimension.
Metadata and Mapping:
The collected metadata, such as routing tables, security groups, and ACLs, enables Kentik to automatically map and visualize the topology of your GCP resources in the Kentik Map.
GCP Endpoints Lists
Kentik needs permission to access selected GCP endpoints on your behalf in order to collect metadata and metrics, as detailed in the following lists.
GCP Metadata Endpoints
@google-cloud/compute:
BackendServicesClient
ExternalVpnGatewaysClient
FirewallsClient
ForwardingRulesClient
GlobalForwardingRulesClient
GlobalNetworkEndpointGroupsClient
HealthChecksClient
InstancesClient
InstanceGroupsClient
InterconnectsClient
InterconnectAttachmentsClient
NetworksClient
NetworkEndpointGroupsClient
NetworkFirewallPoliciesClient
ProjectsClient
RegionsClient
RegionBackendServicesClient
RegionHealthChecksClient
RegionHealthCheckServicesClient
RegionInstanceGroupsClient
RegionNetworkEndpointGroupsClient
RegionNetworkFirewallPoliciesClient
RegionSecurityPoliciesClient
RegionTargetHttpProxiesClient
RegionTargetHttpsProxiesClient
RegionTargetTcpProxiesClient
RegionUrlMapsClient
RoutersClient
RoutersClient
RoutersClient
RoutersClient
RoutesClient
SubnetworksClient
TargetGrpcProxiesClient
TargetHttpProxiesClient
TargetHttpsProxiesClient
TargetInstancesClient
TargetSslProxiesClient
TargetTcpProxiesClient
TargetPoolsClient
TargetVpnGatewaysClient
UrlMapsClient
VpnGatewaysClient
VpnTunnelsClient
ZonesClient