Create a mirroring endpoint group association to attach a mirroring endpoint group to a Virtual Private Cloud (VPC) network. You can create a mirroring endpoint group globally and associate it with one or more VPC networks to monitor workloads.
This page explains how to create and manage mirroring endpoint group associations by using the Google Cloud CLI.
Before you begin
You need a VPC network and a subnet.
You must enable the Compute Engine API in your Google Cloud project.
You must enable the Network Security API in your Google Cloud project.
Install the gcloud CLI if you want to run the
gcloudcommand-line examples in this guide.You must have a mirroring endpoint group.
Roles
To get the permissions that you need to create, view, or delete mirroring endpoint group associations, ask your administrator to grant you the necessary Identity and Access Management (IAM) roles on your project. For more information about granting roles, see Manage access to projects, folders, and organizations.
To check the progress of the operations listed on this page,
make sure that your user role has the following Mirroring Endpoint Admin role
(roles/networksecurity.mirroringAdmin) and Mirroring Endpoint
Network Admin (roles/networksecurity.mirroringEndpointNetworkAdmin) role
permissions:
networksecurity.mirroringEndpointGroupAssociations.createnetworksecurity.mirroringEndpointGroupAssociations.deletenetworksecurity.mirroringEndpointGroupAssociations.updatenetworksecurity.mirroringEndpointGroupAssociations.getnetworksecurity.mirroringEndpointGroupAssociations.list
Quotas
To view quotas associated with mirroring endpoint group associations, see Quotas and limits.
Create mirroring endpoint group associations
You can associate one or more VPC networks to a specific mirroring endpoint group in the same zone.
In the create and manage mirroring endpoint group section you created a mirroring endpoint group where the network traffic inspection can happen for the mirrored traffic. However, you still need to specify which VPCs' traffic can be inspected. To do this, you create a project-level mirroring endpoint group association.
Permissions required for this task
To perform this task, you must have been granted the following permissions or one of the following IAM roles on your project.
Permissions
networksecurity.mirroringEndpointGroupAssociations.createnetworksecurity.mirroringEndpointGroupAssociations.updatenetworksecurity.mirroringEndpointGroupAssociations.deletenetworksecurity.mirroringEndpointGroupAssociations.getnetworksecurity.mirroringEndpointGroupAssociations.list
Roles
networksecurity.mirroringAdminnetworksecurity.mirroringEndpointNetworkAdmin
To create a mirroring endpoint group association, use the
gcloud beta network-security mirroring-endpoint-group-associations create command:
gcloud beta network-security mirroring-endpoint-group-associations \
create ENDPOINT_GROUP_ASSOCIATION \
--location global \
--project PROJECT_NAME \
--network NETWORK \
--mirroring-endpoint-group ENDPOINT_GROUP \
--no-async
Replace the following:
ENDPOINT_GROUP_ASSOCIATION: the name of the mirroring endpoint group association.PROJECT_NAME: the Google Cloud project name of the network.NETWORK: the name of the network.ENDPOINT_GROUP: the name of the mirroring endpoint group.
View mirroring endpoint associations
You can view the details of a specific mirroring endpoint group association in a zone.
Permissions required for this task
To perform this task, you must have been granted the following permissions or one of the following IAM roles on your project.
Permissions
networksecurity.mirroringEndpointgroupAssociations.get
Roles
networksecurity.mirroringEndpointAdminnetworksecurity.mirroringEndpointNetworkAdminnetworksecurity.mirroringEndpointViewer
To view a mirroring endpoint group association, use the
gcloud beta network-security mirroring-endpoint-group-associations describe command:
gcloud beta network-security mirroring-endpoint-group-associations \
describe ENDPOINT_GROUP_ASSOCIATION \
--location global \
--project PROJECT_NAME
Replace the following:
ENDPOINT_GROUP_ASSOCIATION: the name of the mirroring endpoint group association.PROJECT_NAME: the project name of the mirroring endpoint group association.
List mirroring endpoint group associations
You can list the mirroring endpoint group associations for a network, a project, or a mirroring endpoint group.
Permissions required for this task
To perform this task, you must have been granted the following permissions or one of the following IAM roles on your project.
Permissions
networksecurity.mirroringEndpointgroupAssociations.list
Roles
networksecurity.mirroringEndpointAdminnetworksecurity.mirroringEndpointNetworkAdminnetworksecurity.mirroringEndpointViewer
To list a mirroring endpoint group association in a project, use the
gcloud beta network-security mirroring-endpoint-group-associations list command:
gcloud beta network-security mirroring-endpoint-group-associations list \
--project PROJECT_NAME \
--network NETWORK
Replace the following:
PROJECT_NAME: the project name of the mirroring endpoint group association.NETWORK: the name of the VPC network.
Delete a mirroring endpoint group association
You can delete a mirroring endpoint group association for a specific VPC network.
Permissions required for this task
To perform this task, you must have been granted the following permissions or one of the following IAM roles on your project.
Permissions
networksecurity.mirroringEndpointgroupAssociations.delete
Roles
networksecurity.mirroringEndpointAdminnetworksecurity.mirroringEndpointNetworkAdmin
To delete a mirroring endpoint group association, use the
gcloud beta network-security mirroring-endpoint-group-associations delete command:
gcloud beta network-security mirroring-endpoint-group-associations \
delete ENDPOINT_GROUP_ASSOCIATION \
--location global \
--project PROJECT_NAME \
--no-async
Replace the following:
ENDPOINT_GROUP_ASSOCIATION: the name of the mirroring endpoint group association.PROJECT_NAME: the project name of the mirroring endpoint group association.
What's next
- Mirroring endpoint groups overview
- Create and manage mirroring endpoint groups
- Out-of-band integration overview