Stay organized with collections
Save and categorize content based on your preferences.
Mirroring deployment lets you expose a zonal set of load balanced
appliances so that mirroring deployment can be used by the
mirroring endpoint groups.
This page explains how to create and manage
mirroring deployment
using the Google Cloud CLI.
To check the progress of the operations listed on this page,
make sure that your user role has the following
Mirroring Deployment Admin role
(roles/networksecurity.mirroringDeploymentAdmin) permissions:
networksecurity.mirroringDeployments.create
networksecurity.mirroringDeployments.delete
networksecurity.mirroringDeployments.get
networksecurity.mirroringDeployments.list
Create a mirroring deployment
Create a mirroring deployment to represent the producer side within a zone
and associate it with the mirroring deployment group.
Permissions required for this task
To perform this task, you must have been granted the following permissions
or one of the following IAM roles on your organization.
gcloud network-security mirroring-deployments list \
--location ZONE \
--project PROJECT
Replace the following:
ZONE: the zone of the mirroring
deployment
PROJECT: the name of your mirroring deployment project
Delete a mirroring deployment
You can delete a mirroring deployment by specifying its name,
location, and project. However, if a mirroring deployment is referenced by a
mirroring deployment group, then it cannot be deleted.
Permissions required for this task
To perform this task, you must have been granted the following permissions
or one of the following IAM roles on your organization.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Create and manage mirroring deployments\n\nMirroring deployment lets you expose a zonal set of load balanced\nappliances so that mirroring deployment can be used by the\n[mirroring endpoint groups](/network-security-integration/docs/out-of-band/endpoint-groups-overview).\n\nThis page explains how to create and manage\n[mirroring deployment](/network-security-integration/docs/out-of-band/deployments-overview)\nusing the Google Cloud CLI.\n\nBefore you begin\n----------------\n\n- You must [enable](https://console.cloud.google.com/apis/library/networksecurity.googleapis.com) the [Network Security API](/network-security-integration/docs/reference/rest) in your project.\n- Install the [gcloud CLI](/sdk/docs) if you want to run the `gcloud` command-line examples in this guide.\n- You have a [mirroring deployment group](/network-security-integration/docs/out-of-band/configure-deployment-groups).\n- You have a forwarding rule to direct network traffic to an internal load balancer. For more information, see [Set up producer services](/network-security-integration/docs/out-of-band/configure-producer-service).\n\n### Roles\n\nTo get the permissions that you need to create, view, or delete\nmirroring deployments, ask your administrator to grant you the necessary\n[Identity and Access Management (IAM) roles](/network-security-integration/docs/out-of-band/deployments-overview#iam-roles)\non your project. For more information about granting roles, see\n[Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\nTo check the progress of the operations listed on this page,\nmake sure that your user role has the following\n[Mirroring Deployment Admin role](/iam/docs/understanding-roles#networksecurity.mirroringDeploymentAdmin)\n(`roles/networksecurity.mirroringDeploymentAdmin`) permissions:\n\n- `networksecurity.mirroringDeployments.create`\n- `networksecurity.mirroringDeployments.delete`\n- `networksecurity.mirroringDeployments.get`\n- `networksecurity.mirroringDeployments.list`\n\nCreate a mirroring deployment\n-----------------------------\n\nCreate a mirroring deployment to represent the producer side within a zone\nand associate it with the mirroring deployment group.\n\n#### Permissions required for this task\n\nTo perform this task, you must have been granted the following permissions\n*or* one of the following IAM roles on your organization.\n\n**Permissions**\n\n- `networksecurity.mirroringDeployments.create`\n\n**Roles**\n\n- `networksecurity.mirroringDeploymentAdmin` \n\n### gcloud\n\nTo create a mirroring deployment, use the\n[`gcloud network-security mirroring-deployments create` command](/sdk/gcloud/reference/network-security/mirroring-deployments/create): \n\n```\n gcloud network-security mirroring-deployments \\\n create DEPLOYMENT \\\n --location ZONE \\\n --forwarding-rule FWD_RULE \\\n --forwarding-rule-location REGION \\\n --mirroring-deployment-group DEPLOYMENT_GROUP_ID \\\n --no-async\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eDEPLOYMENT\u003c/var\u003e: the name of the mirroring deployment;\n you can specify the name as a string or as a unique URL identifier.\n\n- \u003cvar translate=\"no\"\u003eZONE\u003c/var\u003e: the zone of the mirroring deployment\n\n- \u003cvar translate=\"no\"\u003eFWD_RULE\u003c/var\u003e:the forwarding rule to direct network traffic\n to a load balance\n\n- \u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e: the region of the forwarding rule\n\n- \u003cvar translate=\"no\"\u003eDEPLOYMENT_GROUP_ID\u003c/var\u003e: the ID of the mirroring deployment\n group\n\n### Terraform\n\nTo create a mirroring deployment, you can use a [`google_network_security_mirroring_deployment` resource](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/network_security_mirroring_deployment). \n\n resource \"google_network_security_mirroring_deployment\" \"default\" {\n mirroring_deployment_id = \"mirroring-deployment\"\n location = \"us-central1-a\"\n forwarding_rule = google_compute_forwarding_rule.default.id\n mirroring_deployment_group = google_network_security_mirroring_deployment_group.default.id\n }\n\nTo learn how to apply or remove a Terraform configuration, see\n[Basic Terraform commands](/docs/terraform/basic-commands).\n\nView mirroring deployment\n-------------------------\n\nYou can view the details of a specific mirroring deployment in a project.\n\n#### Permissions required for this task\n\nTo perform this task, you must have been granted the following permissions\n*or* one of the following IAM roles on your project.\n\n**Permissions**\n\n- `networksecurity.mirroringDeployments.get`\n\n**Roles**\n\n- `networksecurity.mirroringDeploymentAdmin`\n- `networksecurity.mirroringDeploymentViewer` \n\n### gcloud\n\nTo view details of a mirroring deployment, use the\n[`gcloud network-security mirroring-deployments describe` command](/sdk/gcloud/reference/network-security/mirroring-deployments/describe): \n\n```\ngcloud network-security mirroring-deployments \\\n describe DEPLOYMENT \\\n --location ZONE \\\n --project PROJECT\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eDEPLOYMENT\u003c/var\u003e: the name of the mirroring deployment\n\n- \u003cvar translate=\"no\"\u003eZONE\u003c/var\u003e: the zone of the mirroring deployment\n\n- \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e: the project name of the mirroring deployment\n\nList mirroring deployments\n--------------------------\n\nYou can list all the mirroring deployments in a project.\n\n#### Permissions required for this task\n\nTo perform this task, you must have been granted the following permissions\n*or* one of the following IAM roles on your organization.\n\n**Permissions**\n\n- `networksecurity.mirroringDeployments.list`\n\n**Roles**\n\n- `networksecurity.mirroringDeploymentAdmin`\n- `networksecurity.mirroringDeploymentViewer` \n\n### gcloud\n\nTo list mirroring deployments, use the\n[`gcloud network-security mirroring-deployments list` command](/sdk/gcloud/reference/network-security/mirroring-deployments/list): \n\n```\n gcloud network-security mirroring-deployments list \\\n --location ZONE \\\n --project PROJECT\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eZONE\u003c/var\u003e: the zone of the mirroring\n deployment\n\n- \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e: the name of your mirroring deployment project\n\nDelete a mirroring deployment\n-----------------------------\n\nYou can delete a mirroring deployment by specifying its name,\nlocation, and project. However, if a mirroring deployment is referenced by a\nmirroring deployment group, then it cannot be deleted.\n\n#### Permissions required for this task\n\nTo perform this task, you must have been granted the following permissions\n*or* one of the following IAM roles on your organization.\n\n**Permissions**\n\n- `networksecurity.mirroringDeployments.delete`\n\n**Roles**\n\n- `networksecurity.mirroringDeploymentAdmin` \n\n### gcloud\n\nTo delete a mirroring deployment, use the\n[`gcloud network-security mirroring-deployments delete` command](/sdk/gcloud/reference/network-security/mirroring-deployments/delete): \n\n```\n gcloud network-security mirroring-deployments \\\n delete DEPLOYMENT \\\n --location ZONE \\\n --project PROJECT \\\n --no-async\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eDEPLOYMENT\u003c/var\u003e: the name of the mirroring deployment\n\n- \u003cvar translate=\"no\"\u003eZONE\u003c/var\u003e: the zone of the mirroring deployment\n\n- \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e: the project name of the mirroring deployment\n\nWhat's next\n-----------\n\n- [Mirroring deployment groups overview](/network-security-integration/docs/out-of-band/deployment-groups-overview)\n- [Create and manage mirroring deployment groups](/network-security-integration/docs/out-of-band/configure-deployment-groups)"]]
