Set up consumer services

To enable consumer service in your network, you must set up the following consumer components:

  • Security profiles and security profile groups
  • Mirroring endpoint groups
  • Mirroring rules
  • Firewall policies

This document provides a high-level workflow that describes how to configure these consumer components.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  5. Verify that billing is enabled for your Google Cloud project.

  6. Make sure that you have the following Identity and Access Management (IAM) roles and permissions:
    • For security profile groups and security profile, the Compute Network Admin role (roles/compute.networkAdmin) on the organization.
    • For new consumer side networks creation, the Compute Network Admin role (roles/compute.networkAdmin) on the project you're working with.
    • For mirroring resources, the Mirroring Endpoint Admin role (roles/networksecurity.mirroringEndpointAdmin) on your project.

  7. Enable the Compute Engine and Network Security APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the APIs

  8. Make sure to install the Google Cloud CLI. For the conceptual and installation information about the tool, see gcloud CLI overview.

    Note: If you haven't run the Google Cloud CLI previously, initialize your gcloud CLI directory by running the gcloud init command.

  9. Make sure the producer you are connecting to has granted you the Mirroring Deployment User role (roles/networksecurity.mirroringDeploymentUser) on the producer's project.

Configure consumer services

To configure a consumer service in your network, do the following:

  1. Create a mirroring endpoint group that directly corresponds to the producer's mirroring deployment group. For more information, see Create and manage mirroring endpoint groups.

  2. Associate the mirroring endpoint group with one or more Virtual Private Cloud (VPC) networks. For more information, see Create mirroring endpoint group associations.

    After you configure the endpoint group and the endpoint group association, your network is ready for traffic mirroring. However, mirroring only begins when the mirroring rules match the traffic. Traffic from the associated VPC network in a specific zone is mirrored and routed to the mirroring deployment group in the producer network. If no mirroring deployment exists in a specific zone on the producer side, then the VPC network traffic in that mirroring deployment zone is not mirrored on the consumer side.

  3. Create one or more custom security profiles of type custom mirroring. You add the mirroring endpoint group created in the previous step to this security profile. For more information about how to create a custom security profile, see Create a custom security profile.

  4. Create a custom security profile group with the security profile created in the previous step. For more information, see Create and manage security profile groups.

  5. Create a network firewall policy and mirroring rules to select the traffic that needs to be mirrored for network traffic inspection by the producer service. These mirroring rules refer to the security profile group that you created in the previous step. For more information, see Create and manage mirroring rules.

  6. Associate the network firewall policy with your VPC network. For more information, see Associate a policy with the network.

What's next