Professional Documents
Culture Documents
Training v1.4
• Please take note this training material is not meant to be comprehensive and
should be used in conjunction with the following documentation:
• GCC Customer Handbook
Government
Government on DataCentre (GDC)
Commercial Cloud Government Private Cloud (GPC)
Internet Internet Internet
CSP Systems GCC Systems GPC Systems
Services Intranet Services Intranet Services
Systems Systems Intranet
Systems
Government Network
Intranet Agency
Users Intranet DataCentre
Systems
8 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
System classification framework
Old framework New framework
Secret Secret
Confidential Confidential
Amended to permit a
larger number of systems Restricted
on Commercial Cloud
Restricted
Systems eligible to
Official
be hosted on
(Closed)
commercial cloud
Systems eligible Official Unclassified
Unclassified to be hosted on (Open)
commercial cloud
• Base Services includes the • Optional services to support • Optional services to support
following: additional requirements above ongoing operation of Agency
1. Cloud Management Portal the Base Services: systems:
(CMP) 1. Customer Network 1. Facilities Management
2. Access Management Compartment Service (Application,
3. Identity and Authentication 2. Additional Jumphosts Database & Network
Management 3. Account Creation in CSP Server)
4. Network Connectivity & Portal for Administration 2. Monitoring of Web
Security 4. Professional Service for Defacement
5. Central Services CASB
6. Operational Support
2 Access Management • Provide access accounts to CMP, CSP, CASB, GCCS Jumphosts and CloudCheckr
• Provide VPN accounts (for Internet Devices) for remote administration of
Agency’s subscribed cloud resources and services via GCCS Jumphosts
4 Network • Provide secure connectivity between Government network and GCC for
Connectivity & • Inter-system communication
Security • Agency staff access to Intranet applications hosted on GCC using GSIB
• Provide connectivity for administration of systems from Government
network and Internet
• Provide compartments*, gateways and peering
• Allocation of private IP Addresses
3 Additional Jumphost Allows Agencies to subscribe for additional Jumphost on top of the default
number provided in each customer network compartment
1 2 3 4
Allows agency to
subscribe and
manage GCC
Services
2 User Management • To assign users with rights to perform the various roles in CMP
• To create and manage Cloud ID, VPN ID and Jump Host ID required for
administration of subscribed CSP services*
3 IaaS Management • To set up and manage CSP subscriptions, accounts, roles, compartments,
Jump Hosts
• Assignment of Jump Host IDs and VPN ID users
• To manage Cloud Service Provider account, compartment and Jump Host
4 Central Services (CS) To monitor OS patch level compliance of hosted VMs, and compartment
changes
7 Cloud Cost Monitoring To monitor cloud cost optimization and asset inventory
Agency Manager NA No No No No
Additional Roles
SIRO No No No NA No
Finance Executive No No No No NA
• Commercial Cloud (CC) Services are services provided by Cloud Service Providers (CSPs) like
AWS, Azure and Google
• CC Services are subscribed through the CSP’s portal
2 VPNVPN
ID ID To connect to GCCS VPN from
To connect to Internet DeviceVPNAAD
Government Premium
from P2
Internet
to access to CSP and Jumphost
Device to access to CSP and Jumphost
3 Jumphost ID ID
Jumphost To access to Jumphost to to
To access perform remote
Jumphost Nil remote
to perform
administrationadministration
of workload of workload
Internet Device GCCS VPN over Internet • VPN ID One of the following:
• Jumphost ID • Windows 10 Professional / Enterprise
• 2 Factor version 1809 and above
Authentication • OS X 10.5 Leopard and above
CloudWatch Captures system logs for workload Agencies are required to install CloudWatch
agents and configure log group in
CloudWatch
S3 Bucket Provides Central Log Repository with 1 year retention for Agencies are to run an AWS CLI command to
Agencies to pipe their log files set log group subscription to GCCS
Centralized Log Repository
Azure Activity Logs Provides insight into subscription-level events that have GCC’s contractor will pipe this to GCCS
occurred in Azure Centralized Log Repository by default
Log Analytics • Capture system logs for workload Agencies are required to install Log Analytics
Workspace • Storing of logs in OMS Repository up to 30 days agents, create and configure Log Analytics
Workspace.
Azure Storage Provide Central Log Repository with 1 year retention for Agencies are required to raise SR to GCC’s
Agencies to pipe their log files Contractor to add custom log
Steps Description
1 Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.
2 In the navigation pane, choose Logs.
3 Choose Actions, Create log group.
4 Enter the log group (i.e. cwl-10001003-FlowLogs), and choose Create log group.
Type Details
Definition of the LogGroupName: Log Group to be piped
variable FilterName: Create Filter Name to filter log
FilterPattern: Set Filter Pattern
DestinationArn: arn:aws:logs:ap-southeast-1:786657745590:destination:cwd-100002-
CentralLog-AllLogs
Example of aws cli aws logs put-subscription-filter –log-group-name “cwl-10001003-FlowLogs” –filter-
name “cwl-10001003-FlowLogs” –filter-pattern “ ” –destination-arn arn:aws:logs:ap-
southeast1:786657745590:destination:cwd-100002-CentralLog-AllLogs
41 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
3. Installation of CloudWatch Agent
Steps Description
1 Download the CloudWatch Agent package from AWS
2 Ensure the EC2 instances has IAM roles for CloudWatch Agent
1 Upon login to AWS Console using user’s GCC Account, switch Role to AWS Centralize Log Repository
Account using these credentials:
Account: gov-gcc-centralizelog
Role: iamr-U-<<Customer Account Name>>
Example:
Account: gov-gcc-centralizelog
Role: iamr-U-gcc1-aws-08-isk-aws-gcc
2 Access S3 with bucket name as sst-gcci-centralizelog-prod
4 User is able to view list of logs and download logs under the respective folder
2 Select “Create New” and Enter the Log Analytics Workspace Name (i.e
MyWorkSpace)
5 Go to Data and Select the logs that are required to pipe to Azure Storage
2 GCC Contractor will setup to query the logs and pipe to GCCS Centralized Log
Repository.
Steps Description
4 Go to Containers.
6 User is able to view list of logs and download logs in respective container.
2 GCC Contractor will setup to query the logs and pipe to GCCS Centralized Log
Repository.
2 Compartment Detects any changes in network compartment configurations that does not comply to GCCS
Changes policy
CSPs Network compartment configurations
AWS Network ACLs (NACL)
Route Table
Azure Network Security Group (NSG)
User Defined Routing
GCP Firewall Rule
Route Table
54 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
Patch Monitoring Agents (1/2)
Agencies are required to install the following agents on their VM instances in order for Patch
Monitoring service to monitor the VM instance patch status
CSP Agent details
AWS Agent Required: SSM Agent
View the
Compartment Change
status for AWS, Azure
& GCP, click on the
action button
• Published in a centralised report repository where agency can download the reports in PDF
and/or CSV format
16 Azure MFA Success Report Details of successful MFA logins for Azure AD
Regular
accounts • AM
&
17 Customer Adoption Information on newly created projects for the • AA
Ad-hoc
month
18 Jumphost Availability Report Information on GCC provisioned Jumphosts
uptime
1. Go to Report >
Regular Report or
Ad Hoc Report
• The working hours are Mondays to Fridays from 08:00 AM to 06:00 PM SGT (Excluding
Weekend and Public Holidays)
• For Request with / without approval, approval / submission outside of the working hours
shall be deemed as having been received by the GCCS Contractor at 8:00am on the next
Working Day
To create Support
Request, Click Service
Management in CMP
Click on Support
Request > Support
Request for CA or AA
Agency Manager or
Agency Admin can
approve the Support
Request by clicking on
the Requests >
Approvals
1. Under the
Approvals
section, click on
the “Waiting for
my approval”
dropdown list
* Agencies have to subscribe to respective CSP Support Plans to request for technical support through their CSP Portals
82 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
3g. CSP Support Plan
Subscription
All Agencies will be on AWS Enterprise Support Pooled Plan at no charge to Agencies
GCCS
Account
Enterprise
Agency are covered under Enterprise Support Plan till 10 Jan 2021
3 • Failure of a GCCS component which does not affect Within 1 hour Within 8 hours
the normal performance of any system or service; or
• Report of unsuccessful attempt to violate information
security or report of unconfirmed security alert or
issue
Illustration:
• Billing report will be
issue by 8th of every
GCCS Contractor
Service Consumption Period calendar month Agency to make
will issue the
01 Apr 2019 and 30 Apr (e.g. 8 May 2019) payment by 17 Jun
Invoice by 18 May
2019 • Agency are to validate 2019
2019
between 8 and 12
May 2019
Notes:
1. GCCS Contractor will perform the billing to Agency for GCCS and CSP services
2. 1 invoice will be issued per CMP billing account
3. Billing reports are available on CMP portal
91 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
CMP – Billing Report Download (1/2)
NAT
Type 0: Management Type 1: Internet & Type 2: Internet only Type 3: Intranet only
Intranet
LEGEND
Provisioned by GCCS
Provisioned by Agencies
DB
WWW
VGW DB NAT
Subnet Subnet
Gateway
Subnet Intranet Internet
JH Internet Device
JH AD
Cloud Cloud Mgmt System Administrators to
use AAD Premium P2, VPN,
Admin Intranet Admin Internet Subnet Posture Check and 2FA for
Subnet Jumphost Subnet Jumphost access to Jumphost for
workload administration
GSIB Device
Agency that require smaller NetMask (i.e. /23, /22 or /21) are required to seek GovTech approval
before raising Support Request in CMP.
Private Link
Private Link
Private Link
Cloud
• The Government Enterprise
Exchange Network(GEN) is connected to
GCC the Government Commercial
Clouds using Private Link and
CLZ
Gateway GDC
the Cloud Exchange
Internet Server
Procedure
• Agencies that have not previously onboarded to GPC must first do so
• Agencies already onboarded to GPC can register a new system under “co-location” in the GPC
Self-Service Portal (SSP)
• Thereafter subscribe to the GPC SFTP service in the GPC SSP under this new “co-location”
system for your GCC system to consume
GPC
SFTP
1 Client
Intranet Application
System in GPC, GDC2,
GDC3, Agency Datacenter
GPC
SFTP SFTP
2 Internet
Client 1 Client
Intranet Application
Application System System in GPC, GDC2,
in GPC, GDC2, GDC3 GDC3, Agency Datacenter
CSP DNS
VM
Service
LEGEND
• Agencies must subscribe to SG-Mail AMR Service for SMTP Gateway service for
Intranet systems
• Agencies can subscribe SG-Mail AMR Service by raising a Purchase Order and submit
to GeBiz
Agencies who:
• Subscribe to
Type 1 or 3
compartments
• Subscribe to SG-
Mail AMR
Services
• CSP Onboarding
• To create CSP billing account
• To access to CSP Portal and
Jumphost
1) Cloud Management
Portal (CMP)
https://portal.gcc.gov.sg
2) Microsoft myapps
https://myapps.microsoft.com
3) GCCS Authentication
https://sts.gcc.gov.sg/adfs/ls/
idpinitiatedsignon
Go to Services - 1
Billing
1. Click on CMP
Billing Account
2. Click on 2
“+Create”
3. Key in Name
3
4. Select the
Department 4
5. Click on
Request
1a Agency Admin (AA) assigns users to CMP roles • Agency Manager (AM) and AA are onboarded to
CMP via the GCCS Onboarding form submitted by
Agency
1b User sets up MFA to access CMP • Must use GSIB or GoMAX device to access CMP
• SE2 users are to use GoMAX devices or provision
a GSIB without SE2 to access CMP
• Access to CMP will require MFA to be setup
Go to User
Management and
Click on WOG User
4. Click on Request
It will redirect to
ADFS(Active
Directory Federation
Service) Page to
setup MFA code.
2
2. Select “Mobile
app” 3
3. Select either one
4. Click Set up
4
5
Download and
Launch Microsoft
Authenticator App 6
5. Click + Add 7
account
6. Select “work
account”
7. Scan the QR
code appear on
ADFS Page
1. Key in Billing
Account Name
9. Click on Request
After Service
Request has been
approved by AM,
CSP Billing Account
will be displayed as
“Active” under CMP
Billing Account.
1. Click on User
Go to Services >
IaaS Management >
Azure
1. Click on
Subscriber
2. Subscriber List
will display the
Name,
WOG/Cloud ID
1
and Role of
2
Subscriber.
1. Click on
Compartment
2. Compartment will
1
display the
Compartment ID,
Compartment
2
Name,
Compartment Type
and Status
provisioned in the
respective CSP
billing account(s)
5. Cloud ID Email is 5
auto generated 6
6. Click Create
154 RESTRICTED – Do not forward/distribute. For Internal Government Use Only.
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
Assign Cloud ID User
The SR will be
provisioned once
Agency Manager
approved the request.
1. Click on VPN ID
User 2
2. Click on Create
6. Click on Request
5
Username will be auto-
generated
Service Request is
6
routed to AA for
approval
1. Click on VPN ID
User Assignment
4. Install WindowsAutoPilotInfo
to generate Device 3
Registration ID and Upload
output.csv for Device
Registration ID 4
6. Copy down 6
Passphrase for VPN
and download the
Client Certificate
5 6
Launch the
GlobalProtect VPN
Client
2
1. Select VPN portal
and click Connect
2. Login in with
assigned VPN User
ID
1. After Password is
authenticated, GCC
VPN Hub will
prompt to select a
certificate, Click OK 2
2. The VPN
connection is
established
1
1
Go to Services > User
Management
1. Click on Jumphost 2
ID User
2. Click on Create
3. Key in Cloud ID
Email 3
4. Click on Request
Jumphost Username
will be auto generated 4
2. Key in Username
and Click Filter
1
Dashboard will list the
Username, 2
Compartment ID under
respective CSP billing
account
1. Click on Set Up
Account using
Internet Device 1
2. Key in Jumphost 1
Username <Jumphost ID>
2
3. Key in New
Password and
Confirm new
Password
3
4. Click on Set
Password
Follow instructions on
screen to download and
install Google
Authenticator to setup
MFA
• The Jumphost Operating Systems are Windows 2016 Server Datacenter or RedHat Linux with
Restricted Bash (RBASH) and are hardened in reference to CIS standards
• To access Windows Jumphosts, Terradici client is required for PCoIP protocol. Please note that
each Windows Jumphost support a single user at any one time
• To access Linux Jumphosts, SSH client (Putty) is required. Multiple concurrent sessions are
supported on Linux Jumphosts
4. Remote Windows
Jumphost will
prompt the Login 4
Banner, Click OK
5. Key in OpenOTP
password and Click
->
System Setup
Agency-appoint supplier setup system on GCC
System Testing
Agency-appoint supplier perform load-tests and security tests on Agency
system
System Go-Live
Agency to prepare the system go-live on GCC as per migration schedule
• Agency shall create user accounts through CMP for appointed FM to perform
remote admin and subscribe CSP services
www.tech.gov.sg
@GovTechSG
Facebook.com/GovTechSG