Mirroring endpoint groups overview

An endpoint group is a consumer resource that references a producer deployment group. This page provides a detailed overview of mirroring endpoint groups and their capabilities.

Mirroring endpoint groups

We recommend that you create the mirroring endpoint group in a project owned by your security administrator. To create the mirroring endpoint group associations, the security administrator must assign the Mirroring Endpoint Admin (roles/networksecurity.mirroringAdmin) and Mirroring Endpoint Network Admin (roles/networksecurity.mirroringEndpointNetworkAdmin) roles to the project or to the network administrator.

For more information about mirroring endpoint group association, see Mirroring endpoint group association.

Specifications

• A mirroring endpoint group is a project-level resource created at the global level.
• Network Security Integration uses Packet Mirroring technology to mirror the traffic from the Google Cloud workloads in a Virtual Private Cloud (VPC) network to the mirroring endpoint groups.
• The security profile redirects the workload traffic in a VPC network to the mirroring endpoint group only if the mirroring rules are configured to be applied to this flow and the network is associated with the mirroring endpoint group.
• The mirroring rules add a VPC network identifier to each packet redirected to the mirroring endpoint groups for the deep packet inspection. If you have multiple VPC networks with overlapping IP address ranges, this network identifier helps to ensure that each redirected packet is correctly associated with its VPC network.
• You can create a mirroring endpoint group globally and associate it with one or more VPC networks to monitor workloads. You use mirroring endpoint group association to attach a mirroring endpoint group to a VPC network.
• You can delete a mirroring endpoint group only when there are no VPC networks associated with it.

Mirroring endpoint group associations

Mirroring endpoint group association is a project-level resource. Mirroring endpoint group association links mirroring endpoint groups to a VPC network to make their traffic eligible for inspection. After a mirroring endpoint group is associated, any traffic matching mirroring rules is replicated and sent to the attached mirroring deployment group. For more information about how to create and manage mirroring endpoint group associations, see Create and manage mirroring endpoint group associations.

Identity and Access Management roles

Identity and Access Management (IAM) roles govern the following actions for managing the mirroring endpoint groups:

• Creating a mirroring endpoint group in a project
• Modifying or deleting a mirroring endpoint group
• Viewing details about a mirroring endpoint group
• Viewing all the mirroring endpoint groups configured in a project

The following table describes the roles that are necessary for each step.

Ability	Necessary role
Create a new mirroring endpoint group	Mirroring Endpoint Admin role (roles/networksecurity.mirroringEndpointAdmin) on the project where the mirroring endpoint group is created.
Modify an existing mirroring endpoint group	Mirroring Endpoint Admin role (roles/networksecurity.mirroringEndpointAdmin) on the project.
View details about the mirroring endpoint group in a project	Any of the following roles for the project: Mirroring Endpoint Admin role (roles/networksecurity.mirroringEndpointAdmin) Mirroring Endpoint Viewer role (roles/networksecurity.mirroringEndpointViewer)
View all the mirroring endpoint groups in a project	Any of the following roles for the project: Mirroring Endpoint Admin role (roles/networksecurity.mirroringEndpointAdmin) Mirroring Endpoint Viewer role (roles/networksecurity.mirroringEndpointViewer)

IAM roles govern the following actions for the mirroring endpoint group associations:

• Creating a mirroring endpoint group association in a project
• Modifying or deleting a mirroring endpoint group association
• Viewing details of a mirroring endpoint group association
• Viewing all the mirroring endpoint group associations configured in a project

The following table describes the roles that are necessary for each step.

Ability	Necessary role
Create a mirroring endpoint group association	Mirroring Endpoint Admin role (roles/networksecurity.mirroringEndpointAdmin) on the project where the mirroring endpoint group association is created. Mirroring Endpoint User role (roles/networksecurity.mirroringEndpointUser) on the project, which represents permissions to associate the VPC (which the user is an administrator of) to the mirroring endpoint group (which is an organization-owned resource, not necessarily owned by the VPC owner).
Modify (update or delete) the mirroring endpoint group associations	Mirroring Endpoint Admin role (roles/networksecurity.mirroringEndpointAdmin) on the project where the VPC network exists.
View details about the mirroring endpoint group association in a project	Any of the following roles: Mirroring Endpoint Admin role (roles/networksecurity.mirroringEndpointAdmin) Mirroring Endpoint Viewer role (roles/networksecurity.mirroringEndpointViewer)
View all of the mirroring endpoint group associations in a project	Any of the following roles: Mirroring Endpoint Admin role (roles/networksecurity.mirroringEndpointAdmin) Mirroring Endpoint Viewer role (roles/networksecurity.mirroringEndpointViewer)

Quotas

To view quotas associated with mirroring endpoint groups, see Quotas and limits.

What's next

• Network Security Integration overview
• Out-of-band integration overview
• Monitor out-of-band integration