Stay organized with collections
Save and categorize content based on your preferences.
A mirroring deployment group is a collection of
mirroring deployments
that are set up across multiple zones. This collection represents a producer's
mirroring service that the consumers can connect to.
A mirroring deployment group is identified by a unique URL identifier.
This URL is used in the
mirroring endpoint group
to identify the producer mirroring service where the mirrored packets
are sent for deep packet inspection.
This document provides a detailed overview of the mirroring deployment
groups and their capabilities.
Specifications
A mirroring deployment group is a global project-level resource.
Each mirroring deployment group is uniquely identified by a URL with
the following elements:
Project ID: ID of the project.
Location: scope of the mirroring deployment group. Location is always
set to global.
Name: mirroring deployment group name in the following format:
A string 1-63 characters long
Includes only lowercase alphanumeric characters or hyphens (-)
Must start with a letter
To construct a unique URL identifier for a mirroring deployment group,
use the following format:
You can use a single mirroring deployment group to inspect the mirrored
traffic from multiple Virtual Private Cloud (VPC) instances across different
projects and accounts.
If the deployment group doesn't have a deployment in a specific zone,
then, on the consumer side, the packets in that zone are not mirrored.
To delete a deployment group, you must delete all the deployments
in that deployment group.
Identity and Access Management roles
Identity and Access Management (IAM) roles govern the following actions for managing the
mirroring deployment groups:
Creating a mirroring deployment group in a project
Modifying or deleting a mirroring deployment group
Viewing details about a mirroring deployment group
Viewing all the mirroring deployment groups configured in your project
The following table describes the roles that are necessary for each step.
Ability
Necessary role
Create a new mirroring deployment group
Mirroring Deployment Admin role (networksecurity.mirroringDeploymentAdmin)
on the project where the mirroring deployment group is created.
Modify an existing mirroring deployment group
Mirroring Deployment Admin role (networksecurity.mirroringDeploymentAdmin)
on the project where the mirroring deployment group is created.
View details about the mirroring deployment group in a project
Any of the following roles for the project:
Mirroring Deployment Admin role (networksecurity.mirroringDeploymentAdmin)
Mirroring Deployment Viewer role (networksecurity.mirroringDeploymentViewer)
View all the mirroring deployment groups in your project
Any of the following roles for the project:
Mirroring Deployment Admin role (networksecurity.mirroringDeploymentAdmin)
Mirroring Deployment Viewer role (networksecurity.mirroringDeploymentViewer)
Delete a mirroring deployment group
Mirroring Deployment Admin role (networksecurity.mirroringDeploymentAdmin)
on the project.
Quotas
To view quotas associated with mirroring deployment groups, see
Quotas and limits.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Mirroring deployment groups overview\n\nA *mirroring deployment group* is a collection of\n[mirroring deployments](/network-security-integration/docs/out-of-band/deployments-overview)\nthat are set up across multiple zones. This collection represents a producer's\nmirroring service that the consumers can connect to.\n\nA mirroring deployment group is identified by a unique URL identifier.\nThis URL is used in the\n[mirroring endpoint group](/network-security-integration/docs/out-of-band/endpoint-groups-overview)\nto identify the producer mirroring service where the mirrored packets\nare sent for deep packet inspection.\n\nThis document provides a detailed overview of the mirroring deployment\ngroups and their capabilities.\n\nSpecifications\n--------------\n\n- A mirroring deployment group is a global project-level resource.\n\n- Each mirroring deployment group is uniquely identified by a URL with\n the following elements:\n\n - **Project ID**: ID of the project.\n - **Location** : scope of the mirroring deployment group. Location is always set to `global`.\n - **Name** : mirroring deployment group name in the following format:\n - A string 1-63 characters long\n - Includes only lowercase alphanumeric characters or hyphens (-)\n - Must start with a letter\n\n To construct a unique URL identifier for a mirroring deployment group,\n use the following format: \n\n projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/global/mirroringDeploymentGroups/\u003cvar translate=\"no\"\u003eDEPLOYMENT_GROUP_ID\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: ID of the project\n\n - \u003cvar translate=\"no\"\u003eDEPLOYMENT_GROUP_ID\u003c/var\u003e: ID of the mirroring deployment\n group\n\n For example, project `2345678432` in a `global` mirroring deployment\n `example-mirroring-deployment-group` has the following unique identifier: \n\n projects/2345678432/locations/global/mirroringDeploymentGroups/example-mirroring-deployment-group\n\n\u003c!-- --\u003e\n\n- You can use a single mirroring deployment group to inspect the mirrored\n traffic from multiple Virtual Private Cloud (VPC) instances across different\n projects and accounts.\n\n- If the deployment group doesn't have a deployment in a specific zone,\n then, on the consumer side, the packets in that zone are not mirrored.\n\n- To delete a deployment group, you must delete all the deployments\n in that deployment group.\n\nIdentity and Access Management roles\n------------------------------------\n\nIdentity and Access Management (IAM) roles govern the following actions for managing the\nmirroring deployment groups:\n\n- Creating a mirroring deployment group in a project\n- Modifying or deleting a mirroring deployment group\n- Viewing details about a mirroring deployment group\n- Viewing all the mirroring deployment groups configured in your project\n\nThe following table describes the roles that are necessary for each step.\n\nQuotas\n------\n\nTo view quotas associated with mirroring deployment groups, see\n[Quotas and limits](/network-security-integration/docs/quotas).\n\nWhat's next\n-----------\n\n- [Create and manage mirroring deployments](/network-security-integration/docs/out-of-band/configure-deployments)\n- [Create and manage mirroring deployment groups](/network-security-integration/docs/out-of-band/configure-deployment-groups)\n- [Network Security Integration overview](/network-security-integration/docs/nsi-overview)\n- [Monitor out-of-band integration](/network-security-integration/docs/out-of-band/monitor-out-of-band-integration)"]]
