Create and manage mirroring endpoint groups

This page explains how to configure and manage the mirroring endpoint groups in the consumer's account to represent the producer's mirroring deployment groups by using the Google Cloud CLI.

We recommend that you create the mirroring endpoint group in a project owned by your security administrator. To create the mirroring endpoint group associations, the security administrator must assign the Mirroring Endpoint Admin (roles/networksecurity.mirroringAdmin) and Mirroring Endpoint Network Admin (roles/networksecurity.mirroringEndpointNetworkAdmin) roles to the project or to the network administrator.

If you have enabled the mirroring rule action as MIRROR in the firewall policy associated with your Virtual Private Cloud (VPC) network, and created the mirroring endpoint group associations, the mirrored traffic is forwarded to the mirroring endpoint group.

Before you begin

Roles

To get the permissions that you need to create, view, or delete mirroring endpoint groups, ask your administrator to grant you the necessary Identity and Access Management (IAM) roles on your Google Cloud project. For more information about granting roles, see Manage access to projects, folders, and organizations.

To check the progress of the operations listed on this page, make sure that your user role has the Mirroring Endpoint Admin (roles/networksecurity.mirroringEndpointAdmin) and Mirroring Deployment User (roles/networksecurity.mirroringDeploymentUser) roles and permissions.

The Mirroring Deployment User role (roles/networksecurity.mirroringDeploymentUser) is required on the producer project so that you can connect the consumer's mirroring endpoint group to the producer's mirroring deployment group.

Quotas

To view quotas associated with mirroring endpoint groups, see Quotas and limits.

Create a mirroring endpoint group

Create a mirroring endpoint group in a specific zone.

gcloud

To create a mirroring endpoint group, use the gcloud beta network-security mirroring-endpoint-groups create command:

 gcloud beta network-security mirroring-endpoint-groups create ENDPOINT_GROUP \
     --location global \
     --project PROJECT_NAME \
     --mirroring-deployment-group DEPLOYMENT_GROUP \
     --no-async

Replace the following:

  • ENDPOINT_GROUP: the name of the mirroring endpoint group.

  • PROJECT_NAME: the project name where you want to create the mirroring endpoint group.

  • DEPLOYMENT_GROUP: the name of the mirroring deployment group.

To associate the mirroring endpoint group to a VPC network, see Create and manage mirroring endpoint group associations.

View a mirroring endpoint group

You can view the details of a specific mirroring endpoint group.

gcloud

To view details of a mirroring endpoint group, use the gcloud beta network-security mirroring-endpoint-groups describe command:

 gcloud beta network-security mirroring-endpoint-groups \
     describe ENDPOINT_GROUP \
     --location global

Replace ENDPOINT_GROUPwith the name of the mirroring endpoint group.

List mirroring endpoint groups

You can list all the mirroring endpoint groups in a project.

gcloud

To list all mirroring endpoint groups, use the gcloud beta network-security mirroring-endpoint-groups list command:

 gcloud beta network-security mirroring-endpoint-groups list \
     --project PROJECT_NAME \
     --location global

Replace PROJECT_NAMEwith the name of the project where the mirroring endpoint group was created.

Delete a mirroring endpoint group

You can delete a mirroring endpoint group by specifying its name, location, and project.

gcloud

To delete a mirroring endpoint group, use the gcloud beta network-security mirroring-endpoint-groups delete command:

 gcloud beta network-security mirroring-endpoint-groups delete ENDPOINT_GROUP
     --project PROJECT_NAME \
     --location global \
     --no-async

Replace the following:

  • ENDPOINT_GROUP: the name of the mirroring endpoint group.

  • PROJECT_NAME: the project name where the mirroring endpoint group was created.

What's next