This page provides best practices for configuring Cloud IDS.
Cloud IDS is an intrusion detection service that provides threat detection for intrusions, malware, spyware, and command-and-control attacks on your network. Cloud IDS uses a resource known as an IDS endpoint, a zonal resource that can inspect traffic from any zone in its region. Each IDS endpoint receives mirrored traffic and performs threat detection analysis.
Deploy IDS endpoints
- Create an IDS endpoint in each region that you want to monitor by using Cloud IDS. You can create multiple IDS endpoints for each region.
- Allow up to 20 minutes for Cloud IDS to create and configure firewalls.
- During IDS endpoint creation, you must choose an alert severity level. For
maximum visibility, we recommend the
informationallevel. - If you use the Packet mirroring page in the Google Cloud console to create a packet mirroring policy, ensure that you enable Allow both ingress and egress traffic.
- If you use the Cloud IDS page to configure an IDS endpoint, you do not need to enable Allow both ingress and egress traffic because it is automatically enabled.
You can use Cloud IDS to create an IDS endpoint in each region that you want to monitor. You can create multiple IDS endpoints for each region. Each IDS endpoint has a maximum inspection capacity of 5 Gbps. While each IDS endpoint can handle anomalous traffic spikes of up to 17 Gbps, we recommend that you configure one IDS endpoint for every 5 Gbps of throughput that your network experiences.
Attach packet mirroring policies
- We recommend that you attach more than one packet mirroring policy to an IDS endpoint when you want to mirror traffic from multiple types of sources, including subnets, instances, or network tags. You can only mirror traffic from subnets that exist in the same region as the IDS endpoint.
- Choose only the subnets whose traffic you want to mirror to Cloud IDS.
Cost optimization
Cloud IDS employs a fixed cost for each IDS endpoint and a variable cost based on the volume of inspected traffic. Without careful planning, all network traffic within a Virtual Private Cloud (VPC) can be mirrored and inspected, leading to unexpectedly high bills. To control expenses, we recommend that you do the following:
- Understand the specific security and compliance requirements to judiciously select which VPCs, regions, subnets, and most critically, which traffic flows truly need inspection.
- Start with minimal inspection of critical assets and gradually expand.
- Use packet mirroring filters to precisely control the amount of traffic processed, thereby significantly reducing the variable cost.
The following example tunes Cloud IDS packet mirroring policy for cost optimization:
Suppose you need to inspect traffic in VPC-x, subnet-x, and only traffic to or from the internet needs to be inspected. You make this decision based on your security and compliance requirements. Also, suppose that only the internet-facing virtual machine (VM) instances in subnet-x need to be inspected.
- Tag the internet-facing VMs with
tag-x. - Use the Classless Inter-Domain Routing (CIDR) IP address ranges in the packet mirroring policy to inspect all traffic between
VMs tagged with
tag-xand the internet. Because negation isn't supported with packet mirroring, you need to construct it in a different way. Suppose this VPC uses the10.0.0.0/8CIDR; if so, then you need to construct a CIDR for everything except10.0.0.0/8, which is the following:128.0.0.0/164.0.0.0/232.0.0.0/316.0.0.0/40.0.0.0/512.0.0.0/68.0.0.0/711.0.0.0/8
To create the packet mirroring policy, run the following command:
gcloud compute packet-mirrorings create NAME
--network=vpc-x
--filter-cidr-ranges=[128.0.0.0/1, 64.0.0.0/2, 32.0.0.0/3, 16.0.0.0/4, 0.0.0.0/5, 12.0.0.0/6, 8.0.0.0/7, 11.0.0.0/8]
--mirrored-subnets=[subnet-x]
--mirrored-tags=[tag-x]
--region=REGION
Replace the following:
NAME: the name of the packet mirroring to createREGIONS: the region of the packet mirroring
What's next
- To review conceptual information, see the Cloud IDS overview.
- To set up Cloud IDS, see Configure Cloud IDS.