Stay organized with collections
Save and categorize content based on your preferences.
This page provides best practices for configuring Cloud IDS.
Cloud IDS is an intrusion detection service that provides threat
detection for intrusions, malware, spyware, and command-and-control attacks
on your network. Cloud IDS uses a resource known as an IDS endpoint, a
zonal resource that can inspect traffic from any zone in its region. Each IDS
endpoint receives mirrored traffic and performs threat detection analysis.
Deploy IDS endpoints
Create an IDS endpoint in each region that you want to monitor by using
Cloud IDS. You can create multiple IDS endpoints for each region.
Allow up to 20 minutes for Cloud IDS to create and configure
firewalls.
During IDS endpoint creation, you must choose an alert severity level. For
maximum visibility, we recommend the informational level.
If you use the Packet mirroring page in the Google Cloud console to
create a packet mirroring policy, ensure that you enable
Allow both ingress and egress traffic.
If you use the Cloud IDS page to configure an IDS endpoint,
you do not need to enable Allow both ingress and egress traffic because
it is automatically enabled.
You can use Cloud IDS to create an IDS endpoint in each region that
you want to monitor. You can create multiple IDS endpoints for each region.
Each IDS endpoint has a maximum inspection capacity of 5 Gbps. While each
IDS endpoint can handle anomalous traffic spikes of up to 17 Gbps, we
recommend that you configure one IDS endpoint for every 5 Gbps of throughput
that your network experiences.
Attach packet mirroring policies
We recommend that you attach more than one packet mirroring policy to an IDS
endpoint when you want to mirror traffic from multiple types of sources,
including subnets, instances, or network tags. You can only mirror traffic
from subnets that exist in the same region as the IDS endpoint.
Choose only the subnets whose traffic you want to mirror to Cloud IDS.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eCloud IDS is a threat detection service that uses IDS endpoints to monitor network traffic for intrusions, malware, spyware, and command-and-control attacks.\u003c/p\u003e\n"],["\u003cp\u003eCreate an IDS endpoint in each region you wish to monitor, noting that multiple endpoints can be created per region, each with a maximum inspection capacity of 5 Gbps.\u003c/p\u003e\n"],["\u003cp\u003eWhen creating an IDS endpoint, the \u003ccode\u003einformational\u003c/code\u003e alert severity level is recommended for maximum visibility.\u003c/p\u003e\n"],["\u003cp\u003eIf you create packet mirroring policies via the Packet mirroring page, ensure "Allow both ingress and egress traffic" is enabled; however, this is automatically enabled when using the Cloud IDS page.\u003c/p\u003e\n"],["\u003cp\u003eIt is recommended to attach multiple packet mirroring policies to an IDS endpoint if mirroring traffic from diverse sources, but only from subnets in the same region as the endpoint.\u003c/p\u003e\n"]]],[],null,["# Best practices for Cloud IDS\n\nThis page provides best practices for configuring Cloud IDS.\n\nCloud IDS is an intrusion detection service that provides threat\ndetection for intrusions, malware, spyware, and command-and-control attacks\non your network. Cloud IDS uses a resource known as an *IDS endpoint*, a\nzonal resource that can inspect traffic from any zone in its region. Each IDS\nendpoint receives mirrored traffic and performs threat detection analysis.\n\nDeploy IDS endpoints\n--------------------\n\n- Create an IDS endpoint in each region that you want to monitor by using Cloud IDS. You can create multiple IDS endpoints for each region.\n- Allow up to 20 minutes for Cloud IDS to create and configure firewalls.\n- During IDS endpoint creation, you must choose an alert severity level. For maximum visibility, we recommend the `informational` level.\n- If you use the **Packet mirroring** page in the Google Cloud console to create a packet mirroring policy, ensure that you enable **Allow both ingress and egress traffic** .\n\n [Go to Packet mirroring](https://console.cloud.google.com/networking/packetmirroring)\n- If you use the **Cloud IDS** page to configure an IDS endpoint, you do not need to enable **Allow both ingress and egress traffic** because it is automatically enabled.\n\n [Go to the Cloud IDS dashboard](https://console.cloud.google.com/net-security/ids/dashboard)\n\nYou can use Cloud IDS to create an IDS endpoint in each region that\nyou want to monitor. You can create multiple IDS endpoints for each region.\nEach IDS endpoint has a maximum inspection capacity of 5 Gbps. While each\nIDS endpoint can handle anomalous traffic spikes of up to 17 Gbps, we\nrecommend that you configure one IDS endpoint for every 5 Gbps of throughput\nthat your network experiences.\n\nAttach packet mirroring policies\n--------------------------------\n\n- We recommend that you attach more than one packet mirroring policy to an IDS endpoint when you want to mirror traffic from multiple types of sources, including subnets, instances, or network tags. You can only mirror traffic from subnets that exist in the same region as the IDS endpoint.\n- Choose only the subnets whose traffic you want to mirror to Cloud IDS.\n\nWhat's next\n-----------\n\n- To review conceptual information, see the [Cloud IDS overview](/intrusion-detection-system/docs/overview).\n- To set up Cloud IDS, see [Configure Cloud IDS](/intrusion-detection-system/docs/configuring-ids)."]]