This page explains how to configure and manage the mirroring endpoint groups in the consumer's account to represent the producer's mirroring deployment groups.
We recommend that you create the
mirroring endpoint group
in a project owned by your security administrator.
To create the mirroring endpoint group associations,
the security administrator must assign the Mirroring Endpoint Admin
(roles/networksecurity.mirroringAdmin) and Mirroring Endpoint Network Admin
(roles/networksecurity.mirroringEndpointNetworkAdmin) roles to the project
or to the network administrator.
If you have enabled the mirroring rule action as MIRROR in the firewall policy
associated with your Virtual Private Cloud (VPC) network, and created the
mirroring endpoint group associations, the mirrored traffic is forwarded to
the mirroring endpoint group.
Before you begin
You must enable the Compute Engine API in your Google Cloud project.
You must enable the Network Security API in the Google Cloud project that you want to use for billing.
Install the gcloud CLI if you want to run the
gcloudcommand-line examples in this guide.You must have a mirroring deployment group.
Roles
To get the permissions that you need to create, view, or delete mirroring endpoint groups, ask your administrator to grant you the necessary Identity and Access Management (IAM) roles on your Google Cloud project. For more information about granting roles, see Manage access to projects, folders, and organizations.
To check the progress of the operations listed on this page,
make sure that your user role has the Mirroring Endpoint Admin
(roles/networksecurity.mirroringEndpointAdmin) and
Mirroring Deployment User
(roles/networksecurity.mirroringDeploymentUser) roles and
permissions.
The Mirroring Deployment User role
(roles/networksecurity.mirroringDeploymentUser) is required
on the producer project so that you can connect the consumer's mirroring
endpoint group to the producer's mirroring deployment group.
Quotas
To view quotas associated with mirroring endpoint groups, see Quotas and limits.
Create a mirroring endpoint group
Create a mirroring endpoint group in a specific zone.
Console
In the Google Cloud console, go to the Endpoint groups page.
Click Create endpoint group.
For Name, enter a name for the mirroring endpoint group.
For Deployment group, select any one of the following:
Select project: select if you know the project name where the mirroring deployment group exists.
If you select this option, select the name of the project.
Select current project: select if the mirroring deployment group exists in the current project.
If you select this option, specify the name of the mirroring deployment group.
Manually enter deployment group: select if the mirroring deployment group exists in a different project.
If you select this option, specify the project ID and the name of the mirroring deployment group.
Click Continue.
Optional: Click Add endpoint group association.
Specify the name of the project and the name of the VPC network that hosts the mirroring endpoint group, and then click Done.
Click Create.
gcloud
To create a mirroring endpoint group, use the
gcloud network-security mirroring-endpoint-groups create command:
gcloud network-security mirroring-endpoint-groups create ENDPOINT_GROUP \
--location global \
--project PROJECT_NAME \
--mirroring-deployment-group DEPLOYMENT_GROUP \
--no-async
Replace the following:
ENDPOINT_GROUP: the name of the mirroring endpoint groupPROJECT_NAME: the project name where you want to create the mirroring endpoint groupDEPLOYMENT_GROUP: the name of the mirroring deployment group
To associate the mirroring endpoint group to a VPC network, see Create and manage mirroring endpoint group associations.
Terraform
To create a mirroring endpoint group, you can use a google_network_security_mirroring_endpoint_group resource.
To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.
View a mirroring endpoint group
You can view the details of a specific mirroring endpoint group.
Console
In the Google Cloud console, go to the Endpoint groups page.
Click the name of the mirroring endpoint group.
gcloud
To view details of a mirroring endpoint group, use the
gcloud network-security mirroring-endpoint-groups describe command:
gcloud network-security mirroring-endpoint-groups \
describe ENDPOINT_GROUP \
--location global
Replace ENDPOINT_GROUPwith the name of the mirroring
endpoint group.
List mirroring endpoint groups
You can list all the mirroring endpoint groups in a project.
Console
To see all mirroring endpoint groups of the project, complete the following step:
In the Google Cloud console, go to the Endpoint groups page.
To list the mirroring endpoint groups, click filter_listFilter.
From the Properties list, select Purpose and then for Value, select NSI out-of-band.
gcloud
To list all mirroring endpoint groups, use the
gcloud network-security mirroring-endpoint-groups list command:
gcloud network-security mirroring-endpoint-groups list \
--project PROJECT_NAME \
--location global
Replace PROJECT_NAMEwith the name of the project where the
mirroring endpoint group was created.
Delete a mirroring endpoint group
You can delete a mirroring endpoint group by specifying its name, location, and project.
Console
In the Google Cloud console, go to the Endpoint groups page.
Select the checkbox of the mirroring endpoint group and click Delete.
Click Delete again to confirm.
gcloud
To delete a mirroring endpoint group, use the
gcloud network-security mirroring-endpoint-groups delete command:
gcloud network-security mirroring-endpoint-groups delete ENDPOINT_GROUP
--project PROJECT_NAME \
--location global \
--no-async
Replace the following:
ENDPOINT_GROUP: the name of the mirroring endpoint group.PROJECT_NAME: the project name where the mirroring endpoint group was created.
What's next
- Mirroring endpoint groups overview
- Out-of-band integration overview
- Create and manage mirroring endpoint group associations