Stay organized with collections
Save and categorize content based on your preferences.
An endpoint group is a consumer resource that references a producer
deployment group. This page provides a detailed overview of mirroring
endpoint groups and their capabilities.
Mirroring endpoint groups
We recommend that you create the mirroring endpoint group in a project
owned by your security administrator. To create the
mirroring endpoint group associations,
the security administrator must assign the Mirroring Endpoint Admin
(roles/networksecurity.mirroringAdmin) and Mirroring Endpoint Network Admin
(roles/networksecurity.mirroringEndpointNetworkAdmin) roles to the project
or to the network administrator.
A mirroring endpoint group is a project-level resource created at the global
level.
Network Security Integration uses Packet Mirroring technology to
mirror the traffic from the Google Cloud workloads in a
Virtual Private Cloud (VPC) network to the mirroring endpoint groups.
The security profile redirects the workload traffic in a VPC
network to the mirroring endpoint group only if the mirroring rules are
configured to be applied to this flow and the network is associated with
the mirroring endpoint group.
The mirroring rules add a VPC network identifier to each
packet redirected to the mirroring endpoint groups for the deep packet
inspection. If you have multiple VPC networks with
overlapping IP address ranges, this network identifier helps to ensure
that each redirected packet is correctly associated with its
VPC network.
You can create a mirroring endpoint group globally and associate it with one
or more VPC networks to monitor workloads.
You use mirroring endpoint group association
to attach a mirroring endpoint group to a VPC network.
You can delete a mirroring endpoint group only when there are no
VPC networks associated with it.
Mirroring endpoint group associations
Mirroring endpoint group association is a project-level resource.
Mirroring endpoint group association links mirroring endpoint groups to a
VPC network to make their traffic eligible for inspection.
After a mirroring endpoint group is associated, any traffic matching mirroring
rules is replicated and sent to the attached mirroring deployment group.
For more information about how to create and manage mirroring endpoint group
associations, see
Create and manage mirroring endpoint group associations.
Identity and Access Management roles
Identity and Access Management (IAM) roles govern the following actions for managing the
mirroring endpoint groups:
Creating a mirroring endpoint group in a project
Modifying or deleting a mirroring endpoint group
Viewing details about a mirroring endpoint group
Viewing all the mirroring endpoint groups configured in a project
The following table describes the roles that are necessary for each step.
Ability
Necessary role
Create a new mirroring endpoint group
Mirroring Endpoint Admin role (roles/networksecurity.mirroringEndpointAdmin)
on the project where the mirroring endpoint group is created.
Modify an existing mirroring endpoint group
Mirroring Endpoint Admin role (roles/networksecurity.mirroringEndpointAdmin) on the project.
View details about the mirroring endpoint group in a project
Any of the following roles for the project:
Mirroring Endpoint Admin role (roles/networksecurity.mirroringEndpointAdmin)
Mirroring Endpoint Viewer role (roles/networksecurity.mirroringEndpointViewer)
View all the mirroring endpoint groups in a project
Any of the following roles for the project:
Mirroring Endpoint Admin role (roles/networksecurity.mirroringEndpointAdmin)
Mirroring Endpoint Viewer role (roles/networksecurity.mirroringEndpointViewer)
IAM roles govern the following actions for the
mirroring endpoint group associations:
Creating a mirroring endpoint group association in a project
Modifying or deleting a mirroring endpoint group association
Viewing details of a mirroring endpoint group association
Viewing all the mirroring endpoint group associations configured in a project
The following table describes the roles that are necessary for each step.
Ability
Necessary role
Create a mirroring endpoint group association
Mirroring Endpoint Admin role (roles/networksecurity.mirroringEndpointAdmin)
on the project where the mirroring endpoint group association is created.
Mirroring Endpoint User role (roles/networksecurity.mirroringEndpointUser)
on the project, which represents permissions to associate the
VPC (which the user is an administrator of) to
the mirroring endpoint group (which is an organization-owned resource, not
necessarily owned by the VPC owner).
Modify (update or delete) the mirroring endpoint group associations
Mirroring Endpoint Admin role (roles/networksecurity.mirroringEndpointAdmin)
on the project where the VPC network exists.
View details about the mirroring endpoint group association in a project
Any of the following roles:
Mirroring Endpoint Admin role (roles/networksecurity.mirroringEndpointAdmin)
Mirroring Endpoint Viewer role (roles/networksecurity.mirroringEndpointViewer)
View all of the mirroring endpoint group associations in a project
Any of the following roles:
Mirroring Endpoint Admin role (roles/networksecurity.mirroringEndpointAdmin)
Mirroring Endpoint Viewer role (roles/networksecurity.mirroringEndpointViewer)
Quotas
To view quotas associated with mirroring endpoint groups, see
Quotas and limits.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Mirroring endpoint groups overview\n\nAn endpoint group is a consumer resource that references a producer\ndeployment group. This page provides a detailed overview of mirroring\nendpoint groups and their capabilities.\n\nMirroring endpoint groups\n-------------------------\n\nWe recommend that you create the mirroring endpoint group in a project\nowned by your security administrator. To create the\nmirroring endpoint group associations,\nthe security administrator must assign the Mirroring Endpoint Admin\n(`roles/networksecurity.mirroringAdmin`) and Mirroring Endpoint Network Admin\n(`roles/networksecurity.mirroringEndpointNetworkAdmin`) roles to the project\nor to the network administrator.\n\nFor more information about mirroring endpoint group association, see\n[Mirroring endpoint group association](/network-security-integration/docs/out-of-band/configure-mirroring-endpoint-group-associations).\n\nSpecifications\n--------------\n\n- A mirroring endpoint group is a project-level resource created at the global level.\n- Network Security Integration uses Packet Mirroring technology to mirror the traffic from the Google Cloud workloads in a Virtual Private Cloud (VPC) network to the mirroring endpoint groups.\n- The security profile redirects the workload traffic in a VPC network to the mirroring endpoint group only if the mirroring rules are configured to be applied to this flow and the network is associated with the mirroring endpoint group.\n- The mirroring rules add a VPC network identifier to each packet redirected to the mirroring endpoint groups for the deep packet inspection. If you have multiple VPC networks with overlapping IP address ranges, this network identifier helps to ensure that each redirected packet is correctly associated with its VPC network.\n- You can create a mirroring endpoint group globally and associate it with one or more VPC networks to monitor workloads. You use [mirroring endpoint group association](/network-security-integration/docs/out-of-band/configure-mirroring-endpoint-group-associations) to attach a mirroring endpoint group to a VPC network.\n- You can delete a mirroring endpoint group only when there are no VPC networks associated with it.\n\nMirroring endpoint group associations\n-------------------------------------\n\nMirroring endpoint group association is a project-level resource.\nMirroring endpoint group association links mirroring endpoint groups to a\nVPC network to make their traffic eligible for inspection.\nAfter a mirroring endpoint group is associated, any traffic matching mirroring\nrules is replicated and sent to the attached mirroring deployment group.\nFor more information about how to create and manage mirroring endpoint group\nassociations, see\n[Create and manage mirroring endpoint group associations](/network-security-integration/docs/out-of-band/configure-mirroring-endpoint-group-associations).\n\nIdentity and Access Management roles\n------------------------------------\n\nIdentity and Access Management (IAM) roles govern the following actions for managing the\nmirroring endpoint groups:\n\n- Creating a mirroring endpoint group in a project\n- Modifying or deleting a mirroring endpoint group\n- Viewing details about a mirroring endpoint group\n- Viewing all the mirroring endpoint groups configured in a project\n\nThe following table describes the roles that are necessary for each step.\n\nIAM roles govern the following actions for the\nmirroring endpoint group associations:\n\n- Creating a mirroring endpoint group association in a project\n- Modifying or deleting a mirroring endpoint group association\n- Viewing details of a mirroring endpoint group association\n- Viewing all the mirroring endpoint group associations configured in a project\n\nThe following table describes the roles that are necessary for each step.\n\nQuotas\n------\n\nTo view quotas associated with mirroring endpoint groups, see\n[Quotas and limits](/network-security-integration/docs/quotas).\n\nWhat's next\n-----------\n\n- [Network Security Integration overview](/network-security-integration/docs/nsi-overview)\n- [Out-of-band integration overview](/network-security-integration/docs/out-of-band/out-of-band-integration-overview)\n- [Monitor out-of-band integration](/network-security-integration/docs/out-of-band/monitor-out-of-band-integration)"]]
