Stay organized with collections
Save and categorize content based on your preferences.
To enable consumer service in your network, you must set up the following
consumer components:
Security profiles and security profile groups
Mirroring endpoint groups
Mirroring rules
Firewall policies
This document provides a high-level workflow that describes how to configure
these consumer components.
Before you begin
Sign in to your Google Cloud account. If you're new to
Google Cloud,
create an account to evaluate how our products perform in
real-world scenarios. New customers also get $300 in free credits to
run, test, and deploy workloads.
In the Google Cloud console, on the project selector page,
select or create a Google Cloud project.
Make sure to install the Google Cloud CLI. For the conceptual and installation information about the tool,
see gcloud CLI overview.
Note: If you haven't run the Google Cloud CLI previously, initialize
your gcloud CLI directory by running the
gcloud init command.
Make sure the producer you are connecting to has granted you the
Mirroring Deployment User role
(roles/networksecurity.mirroringDeploymentUser)
on the producer's project.
Configure consumer services
To configure a consumer service in your network, do the following:
After you configure the endpoint group and the endpoint group association,
your network is ready for traffic mirroring. However, mirroring only
begins when the mirroring rules match the traffic.
Traffic from the associated VPC network in a specific zone
is mirrored and routed to the mirroring deployment group in the producer
network. If no mirroring deployment exists in a specific zone on the
producer side, then the VPC network traffic in that
mirroring deployment zone is not mirrored on the consumer side.
Create one or more custom
security profiles
of type custom mirroring. You add the mirroring endpoint group created in
the previous step to this security profile. For more information about
how to create a custom security profile, see
Create a custom security profile.
Create a network firewall policy and mirroring rules to select the
traffic that needs to be mirrored for network traffic inspection by the
producer service. These mirroring rules refer to the security profile group
that you created in the previous step. For more information, see
Create and manage mirroring rules.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Set up consumer services\n\nTo enable consumer service in your network, you must set up the following\nconsumer components:\n\n- Security profiles and security profile groups\n- Mirroring endpoint groups\n- Mirroring rules\n- Firewall policies\n\nThis document provides a high-level workflow that describes how to configure\nthese consumer components.\n\nBefore you begin\n----------------\n\n- Sign in to your Google Cloud account. If you're new to Google Cloud, [create an account](https://console.cloud.google.com/freetrial) to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Compute Engine and Network Security APIs.\n\n\n [Enable the APIs](https://console.cloud.google.com/flows/enableapi?apiid=compute.googleapis.com, networksecurity.googleapis.com)\n\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Compute Engine and Network Security APIs.\n\n\n [Enable the APIs](https://console.cloud.google.com/flows/enableapi?apiid=compute.googleapis.com, networksecurity.googleapis.com)\n\n1. Make sure that you have the following Identity and Access Management (IAM) roles and permissions:\n - For security profile groups and security profile, the Compute Network Admin role (`roles/compute.networkAdmin`) on the organization.\n - For new consumer side networks creation, the [Compute Network Admin role](/compute/docs/access/iam#compute.networkAdmin) (`roles/compute.networkAdmin`) on the project you're working with.\n - For mirroring resources, the Mirroring Endpoint Admin role (`roles/networksecurity.mirroringEndpointAdmin`) on your project.\n2.\n\n\n Enable the Compute Engine and Network Security APIs.\n\n\n [Enable the APIs](https://console.cloud.google.com/flows/enableapi?apiid=compute.googleapis.com, networksecurity.googleapis.com)\n3. Make sure to install the Google Cloud CLI. For the conceptual and installation information about the tool, see [gcloud CLI overview](/sdk/gcloud).\n\n\n **Note:** If you haven't run the Google Cloud CLI previously, initialize\n your gcloud CLI directory by running the\n [`gcloud init` command](/sdk/gcloud/reference/init).\n4. Make sure the producer you are connecting to has granted you the Mirroring Deployment User role (`roles/networksecurity.mirroringDeploymentUser`) on the producer's project.\n\nConfigure consumer services\n---------------------------\n\nTo configure a consumer service in your network, do the following:\n\n1. Create a [mirroring endpoint group](/network-security-integration/docs/out-of-band/endpoint-groups-overview)\n that directly corresponds to the producer's mirroring deployment group.\n For more information, see\n [Create and manage mirroring endpoint groups](/network-security-integration/docs/out-of-band/configure-endpoint-groups).\n\n2. Associate the mirroring endpoint group with one or more\n Virtual Private Cloud (VPC) networks. For more information, see\n [Create mirroring endpoint group associations](/network-security-integration/docs/out-of-band/configure-mirroring-endpoint-group-associations).\n\n After you configure the endpoint group and the endpoint group association,\n your network is ready for traffic mirroring. However, mirroring only\n begins when the mirroring rules match the traffic.\n Traffic from the associated VPC network in a specific zone\n is mirrored and routed to the mirroring deployment group in the producer\n network. If no mirroring deployment exists in a specific zone on the\n producer side, then the VPC network traffic in that\n mirroring deployment zone is not mirrored on the consumer side.\n3. Create one or more custom\n [security profiles](/network-security-integration/docs/security-profiles-overview)\n of type `custom mirroring`. You add the mirroring endpoint group created in\n the previous step to this security profile. For more information about\n how to create a custom security profile, see\n [Create a custom security profile](/network-security-integration/docs/out-of-band/configure-custom-security-profiles#create-custom-security-profile).\n\n4. Create a [custom security profile group](/network-security-integration/docs/security-profile-groups-overview)\n with the security profile created in the previous step.\n For more information, see\n [Create and manage security profile groups](/network-security-integration/docs/configure-security-profile-groups).\n\n5. Create a network firewall policy and mirroring rules to select the\n traffic that needs to be mirrored for network traffic inspection by the\n producer service. These mirroring rules refer to the security profile group\n that you created in the previous step. For more information, see\n [Create and manage mirroring rules](/network-security-integration/docs/out-of-band/create-manage-mirroring-rules).\n\n6. Associate the network firewall policy with your VPC network.\n For more information, see\n [Associate a policy with the network](/firewall/docs/use-network-firewall-policies#associate).\n\nWhat's next\n-----------\n\n- [Monitor out-of-band integration](/network-security-integration/docs/out-of-band/monitor-out-of-band-integration)"]]