Best practices for Cloud IDS

Stay organized with collections Save and categorize content based on your preferences.

Cloud IDS is an intrusion detection service that provides threat detection for intrusions, malware, spyware, and command-and-control attacks on your network. Cloud IDS uses a resource known as an IDS endpoint, a zonal resource that can inspect traffic from any zone in its region. Each IDS endpoint receives mirrored traffic and performs threat detection analysis. This page provides best practices for configuring Cloud IDS.

Deploying IDS endpoints

  • Create an IDS endpoint in each region that you want to monitor using Cloud IDS. You can create multiple IDS endpoints for each region.
  • Allow up to 20 minutes for Cloud IDS to create and configure firewalls.
  • During IDS endpoint creation, you must choose an alert severity level. For maximum visibility, we recommend the informational level.
  • If you create a packet mirroring policy using the Packet mirroring page in the Google Cloud console, ensure that you enable Allow both ingress and egress traffic.

    Go to Packet Mirroring

    • You do not need to enable this option when configuring an IDS endpoint using the Cloud IDS page, because it is automatically enabled.

      Go to Cloud IDS

Attaching packet mirroring policies

  • We recommend that you attach more than one packet mirroring policy to an IDS endpoint when you want to mirror traffic from multiple sources, including subnets, instances, or network tags. You can only mirror traffic from subnets that exist in the same region as the IDS endpoint.
  • Choose only the subnets whose traffic you want to mirror to Cloud IDS.

Consider the throughput of your Virtual Private Cloud (VPC) network

  • Each IDS endpoint has a maximum inspection capacity of 5 Gbps. We recommend that you calculate the throughput of your VPC network and ensure that you create enough IDS endpoints to service all of your traffic.

What's next