A mirroring deployment group is a collection of mirroring deployments that are set up across multiple zones. This collection represents a producer's mirroring service that the consumers can connect to.
A mirroring deployment group is identified by a unique URL identifier. This URL is used in the mirroring endpoint group to identify the producer mirroring service where the mirrored packets are sent for deep packet inspection.
This document provides a detailed overview of the mirroring deployment groups and their capabilities.
Specifications
A mirroring deployment group is a global project-level resource.
Each mirroring deployment group is uniquely identified by a URL with the following elements:
- Project ID: ID of the project.
- Location: scope of the mirroring deployment group. Location is always
set to
global. - Name: mirroring deployment group name in the following format:
- A string 1-63 characters long
- Includes only lowercase alphanumeric characters or hyphens (-)
- Must start with a letter
To construct a unique URL identifier for a mirroring deployment group, use the following format:
projects/PROJECT_ID/locations/global/mirroringDeploymentGroups/DEPLOYMENT_GROUP_IDReplace the following:
PROJECT_ID: ID of the projectDEPLOYMENT_GROUP_ID: ID of the mirroring deployment group
For example, project
2345678432in aglobalmirroring deploymentexample-mirroring-deployment-grouphas the following unique identifier:projects/2345678432/locations/global/mirroringDeploymentGroups/example-mirroring-deployment-group
You can use a single mirroring deployment group to inspect the mirrored traffic from multiple Virtual Private Cloud (VPC) instances across different projects and accounts.
If the deployment group doesn't have a deployment in a specific zone, then, on the consumer side, the packets in that zone are not mirrored.
To delete a deployment group, you must delete all the deployments in that deployment group.
Identity and Access Management roles
Identity and Access Management (IAM) roles govern the following actions for managing the mirroring deployment groups:
- Creating a mirroring deployment group in a project
- Modifying or deleting a mirroring deployment group
- Viewing details about a mirroring deployment group
- Viewing all the mirroring deployment groups configured in your project
The following table describes the roles that are necessary for each step.
| Ability | Necessary role |
|---|---|
| Create a new mirroring deployment group | Mirroring Deployment Admin role (networksecurity.mirroringDeploymentAdmin)
on the project where the mirroring deployment group is created. |
| Modify an existing mirroring deployment group | Mirroring Deployment Admin role (networksecurity.mirroringDeploymentAdmin)
on the project where the mirroring deployment group is created. |
| View details about the mirroring deployment group in a project | Any of the following roles for the project:
|
| View all the mirroring deployment groups in your project | Any of the following roles for the project:
|
| Delete a mirroring deployment group | Mirroring Deployment Admin role (networksecurity.mirroringDeploymentAdmin)
on the project.
|
Quotas
To view quotas associated with mirroring deployment groups, see Quotas and limits.
What's next
- Create and manage mirroring deployments
- Create and manage mirroring deployment groups
- Network Security Integration overview
- Monitor out-of-band integration