This page explains how to configure and manage the mirroring endpoint groups in the consumer's account to represent the producer's mirroring deployment groups.
We recommend that you create the mirroring endpoint group
in a project owned by your security administrator.
To create the mirroring endpoint group associations
,
the security administrator must assign the Mirroring Endpoint Admin
( roles/networksecurity.mirroringAdmin
) and Mirroring Endpoint Network Admin
( roles/networksecurity.mirroringEndpointNetworkAdmin
) roles to the project
or to the network administrator.
If you have enabled the mirroring rule action as MIRROR
in the firewall policy
associated with your Virtual Private Cloud (VPC) network, and created the
mirroring endpoint group associations, the mirrored traffic is forwarded to
the mirroring endpoint group.
Before you begin
-
You must enable the Compute Engine API in your Google Cloud project.
-
You must enable the Network Security API in the Google Cloud project that you want to use for billing.
-
Install the gcloud CLI if you want to run the
gcloudcommand-line examples in this guide. -
You must have a mirroring deployment group .
Roles
To get the permissions that you need to create, view, or delete mirroring endpoint groups, ask your administrator to grant you the necessary Identity and Access Management (IAM) roles on your Google Cloud project. For more information about granting roles, see Manage access to projects, folders, and organizations .
To check the progress of the operations listed on this page,
make sure that your user role has the Mirroring Endpoint Admin
( roles/networksecurity.mirroringEndpointAdmin
) and
Mirroring Deployment User
( roles/networksecurity.mirroringDeploymentUser
) roles and
permissions.
The Mirroring Deployment User role
( roles/networksecurity.mirroringDeploymentUser
) is required
on the producer project so that you can connect the consumer's mirroring
endpoint group to the producer's mirroring deployment group.
Quotas
To view quotas associated with mirroring endpoint groups, see Quotas and limits .
Create a mirroring endpoint group
Create a mirroring endpoint group in a specific zone.
Console
-
In the Google Cloud console, go to the Endpoint groupspage.
-
Click Create endpoint group.
-
For Name, enter a name for the mirroring endpoint group.
-
For Deployment group, select any one of the following:
-
Select project: select if you know the project name where the mirroring deployment group exists.
If you select this option, select the name of the project.
-
Select current project: select if the mirroring deployment group exists in the current project.
If you select this option, specify the name of the mirroring deployment group.
-
Manually enter deployment group: select if the mirroring deployment group exists in a different project.
If you select this option, specify the project ID and the name of the mirroring deployment group.
-
-
Click Continue.
-
Optional: Click Add endpoint group association.
Specify the name of the project and the name of the VPC network that hosts the mirroring endpoint group, and then click Done.
-
Click Create.
gcloud
To create a mirroring endpoint group, use the gcloud network-security mirroring-endpoint-groups create
command
:
gcloud network-security mirroring-endpoint-groups create ENDPOINT_GROUP \ --location global \ --project PROJECT_NAME \ --mirroring-deployment-group DEPLOYMENT_GROUP \ --no-async
Replace the following:
-
ENDPOINT_GROUP: the name of the mirroring endpoint group -
PROJECT_NAME: the project name where you want to create the mirroring endpoint group -
DEPLOYMENT_GROUP: the name of the mirroring deployment group
To associate the mirroring endpoint group to a VPC network, see Create and manage mirroring endpoint group associations .
Terraform
To create a mirroring endpoint group, you can use a google_network_security_mirroring_endpoint_group
resource
.
To learn how to apply or remove a Terraform configuration, see Basic Terraform commands .
View a mirroring endpoint group
You can view the details of a specific mirroring endpoint group.
Console
-
In the Google Cloud console, go to the Endpoint groupspage.
-
Click the name of the mirroring endpoint group.
gcloud
To view details of a mirroring endpoint group, use the gcloud network-security mirroring-endpoint-groups describe
command
:
gcloud network-security mirroring-endpoint-groups \ describe ENDPOINT_GROUP \ --location global
Replace ENDPOINT_GROUP
with the name of the mirroring
endpoint group.
List mirroring endpoint groups
You can list all the mirroring endpoint groups in a project.
Console
To see all mirroring endpoint groups of the project, complete the following step:
-
In the Google Cloud console, go to the Endpoint groupspage.
-
To list the mirroring endpoint groups, click filter_list Filter.
-
From the Propertieslist, select Purposeand then for Value, select NSI out-of-band.
gcloud
To list all mirroring endpoint groups, use the gcloud network-security mirroring-endpoint-groups list
command
:
gcloud network-security mirroring-endpoint-groups list \ --project PROJECT_NAME \ --location global
Replace PROJECT_NAME
with the name of the project where the
mirroring endpoint group was created.
Delete a mirroring endpoint group
You can delete a mirroring endpoint group by specifying its name, location, and project.
Console
-
In the Google Cloud console, go to the Endpoint groupspage.
-
Select the checkbox of the mirroring endpoint group and click Delete.
-
Click Deleteagain to confirm.
gcloud
To delete a mirroring endpoint group, use the gcloud network-security mirroring-endpoint-groups delete
command
:
gcloud network-security mirroring-endpoint-groups delete ENDPOINT_GROUP --project PROJECT_NAME \ --location global \ --no-async
Replace the following:
-
ENDPOINT_GROUP: the name of the mirroring endpoint group. -
PROJECT_NAME: the project name where the mirroring endpoint group was created.
