Cloud IDS overview

Cloud IDS is an intrusion detection service that provides threat detection for intrusions, malware, spyware, and command-and-control attacks on your network. Cloud IDS works by creating a Google-managed peered network with mirrored VMs. Traffic in the peered network is mirrored, and then inspected by Palo Alto Networks threat protection technologies to provide advanced threat detection. You can mirror all traffic or you can mirror filtered traffic, based on protocol, IP address range, or ingress and egress.

Cloud IDS provides full visibility into network traffic, including both north-south and east-west traffic, letting you monitor VM-to-VM communication to detect lateral movement. This provides an inspection engine that inspects intra-subnet traffic.

You can also use Cloud IDS to meet your advanced threat detection and compliance requirements, including PCI 11.4.

Cloud IDS is subject to Google Cloud's Data Processing and Security Terms.

While Cloud IDS includes all the functionality that helps you maintain compliance, Cloud IDS itself is still being audited and is not yet compliance certified. Also note that Cloud IDS detects and alerts on threats, but does not take action to prevent attacks or repair damage. You can use products like Google Cloud Armor to take action on the threats that Cloud IDS detects.

About Cloud IDS

The following section provides details about IDS endpoints and advanced threat detection.

IDS endpoints

Cloud IDS uses a resource known as an IDS endpoint, a zonal resource that can inspect traffic from any zone in its region. Each IDS endpoint receives mirrored traffic and performs threat detection analysis.

Private services access is a private connection between your Virtual Private Cloud network and a network owned by Google or a third party. In the case of Cloud IDS, the private connection connects your VMs to the Google-managed peered VMs. For IDS endpoints in the same Virtual Private Cloud network, the same private connection is re-used, but a new subnet is assigned for each endpoint. If you need to add IP address ranges to an existing private connection, you must modify the connection.

Packet mirroring policies

Cloud IDS uses Google Cloud packet mirroring, which creates a copy of your network traffic. After creating an IDS endpoint, you must attach one or more packet mirroring policies to it. These policies send mirrored traffic to a single IDS endpoint for inspection. The packet mirroring logic sends all traffic from individual VMs to Google-managed IDS VMs: for example, all traffic mirrored from VM1 and VM2 will always be sent to IDS-VM1.

Advanced threat detection

Cloud IDS threat detection capabilities are powered by the following Palo Alto Networks threat prevention technologies.


Palo Alto Networks' Application ID (App-ID) provides visibility into the applications running on your network. App-ID uses multiple identification techniques to determine the identity of applications traversing your network, irrespective of port, protocol, evasive tactic, or encryption. App-ID identifies the application, providing you with knowledge to help secure your application.

The list of App-IDs is expanded weekly, with 3 to 5 new applications typically added based on input from customers, partners, and market trends. Once a new App-ID is developed and tested, it is automatically added to the list as part of the daily content updates.

Application information can be seen in the Threats Details page in the Google Cloud console.

Go to Cloud IDS

Default signature set

Cloud IDS provides a default set of threat signatures that you can use immediately to protect your network from threats. In the Google Cloud console, this signature set is called a Cloud IDS service profile. You can customize this set by choosing the minimum alert severity level. The signatures are used to detect vulnerabilities and spyware.

  • Vulnerability detection signatures detect attempts to exploit system flaws or gain unauthorized access to systems. While anti-spyware signatures help identify infected hosts when traffic leaves the network, vulnerability detection signatures protect against threats entering the network. For example, vulnerability detection signatures help protect against buffer overflows, illegal code execution, and other attempts to exploit system vulnerabilities. The default vulnerability detection signatures provide detection for clients and servers from all known critical, high, and medium-severity threats.
  • Anti-spyware signatures are used to detect spyware on compromised hosts. Such spyware might try to contact external command-and-control (C2) servers. When Cloud IDS detects malicious traffic leaving your network from infected hosts, it generates an alert, which is saved in the threat log and also shown in the Google Cloud console.
Threat severity levels

A signature's severity indicates the risk of the detected event, and Cloud IDS generates alerts for matching traffic. You can choose the minimum severity level in the default signature set. The following table summarizes the threat severity levels.

Severity Description
Critical Serious threats, such as those that affect default installations of widely deployed software, result in root compromise of servers, and where the exploit code is widely available to attackers. The attacker usually does not need any special authentication credentials or knowledge about the individual victims, and the target does not need to be manipulated into performing any special functions.
High Threats that have the ability to become critical but there are mitigating factors; for example, they may be difficult to exploit, do not result in elevated privileges, or do not have a large victim pool.
Medium Minor threats in which impact is minimized, that do not compromise the target, or exploits that require an attacker to reside on the same local network as the victim, affect only non-standard configurations or obscure applications, or provide very limited access.
Low Warning-level threats that have very little impact on an organization's infrastructure. They usually require local or physical system access and may often result in victim privacy issues and information leakage.
Informational Suspicious events that do not pose an immediate threat, but that are reported to call attention to deeper problems that could possibly exist.

Content update frequency

Cloud IDS automatically updates all signatures without any user intervention, enabling users to focus on analyzing and resolving threats, without managing or updating signatures. Content updates include Application-ID and threat signatures including vulnerability and anti-spyware signatures.

Updates from Palo Alto Networks are picked up daily by Cloud IDS and pushed to all existing IDS endpoints. Maximum update latency is estimated to be up to 48 hours.


Several features of Cloud IDS generate alerts, which are sent to the threat log. For more information about logging, see Cloud IDS Logging.


  • Cloud IDS is not supported by VPC Service Controls. We recommend creating an IDS endpoint only in projects that are outside perimeters.

What's next