An endpoint group is a consumer resource that references a producer deployment group. This page provides a detailed overview of mirroring endpoint groups and their capabilities.
Mirroring endpoint groups
We recommend that you create the mirroring endpoint group in a project
owned by your security administrator. To create the
mirroring endpoint group associations,
the security administrator must assign the Mirroring Endpoint Admin
(roles/networksecurity.mirroringAdmin
) and Mirroring Endpoint Network Admin
(roles/networksecurity.mirroringEndpointNetworkAdmin
) roles to the project
or to the network administrator.
For more information about mirroring endpoint group association, see Mirroring endpoint group association.
Specifications
- A mirroring endpoint group is a project-level resource created at the global level.
- Network Security Integration uses Packet Mirroring technology to mirror the traffic from the Google Cloud workloads in a Virtual Private Cloud (VPC) network to the mirroring endpoint groups.
- The security profile redirects the workload traffic in a VPC network to the mirroring endpoint group only if the mirroring rules are configured to be applied to this flow and the network is associated with the mirroring endpoint group.
- The mirroring rules add a VPC network identifier to each packet redirected to the mirroring endpoint groups for the deep packet inspection. If you have multiple VPC networks with overlapping IP address ranges, this network identifier helps to ensure that each redirected packet is correctly associated with its VPC network.
- You can create a mirroring endpoint group globally and associate it with one or more VPC networks to monitor workloads. You use mirroring endpoint group association to attach a mirroring endpoint group to a VPC network.
- You can delete a mirroring endpoint group only when there are no VPC networks associated with it.
Mirroring endpoint group associations
Mirroring endpoint group association is a project-level resource. Mirroring endpoint group association links mirroring endpoint groups to a VPC network to make their traffic eligible for inspection. After a mirroring endpoint group is associated, any traffic matching mirroring rules is replicated and sent to the attached mirroring deployment group. For more information about how to create and manage mirroring endpoint group associations, see Create and manage mirroring endpoint group associations.
Identity and Access Management roles
Identity and Access Management (IAM) roles govern the following actions for managing the mirroring endpoint groups:
- Creating a mirroring endpoint group in a project
- Modifying or deleting a mirroring endpoint group
- Viewing details about a mirroring endpoint group
- Viewing all the mirroring endpoint groups configured in a project
The following table describes the roles that are necessary for each step.
Ability | Necessary role |
---|---|
Create a new mirroring endpoint group | Mirroring Endpoint Admin role (roles/networksecurity.mirroringEndpointAdmin )
on the project where the mirroring endpoint group is created. |
Modify an existing mirroring endpoint group | Mirroring Endpoint Admin role (roles/networksecurity.mirroringEndpointAdmin ) on the project. |
View details about the mirroring endpoint group in a project | Any of the following roles for the project:
|
View all the mirroring endpoint groups in a project | Any of the following roles for the project:
|
IAM roles govern the following actions for the mirroring endpoint group associations:
- Creating a mirroring endpoint group association in a project
- Modifying or deleting a mirroring endpoint group association
- Viewing details of a mirroring endpoint group association
- Viewing all the mirroring endpoint group associations configured in a project
The following table describes the roles that are necessary for each step.
Ability | Necessary role |
---|---|
Create a mirroring endpoint group association |
Mirroring Endpoint Admin role ( Mirroring Endpoint User role ( |
Modify (update or delete) the mirroring endpoint group associations | Mirroring Endpoint Admin role (roles/networksecurity.mirroringEndpointAdmin )
on the project where the VPC network exists.
|
View details about the mirroring endpoint group association in a project | Any of the following roles:
|
View all of the mirroring endpoint group associations in a project | Any of the following roles:
|
Quotas
To view quotas associated with mirroring endpoint groups, see Quotas and limits.
What's next
- Network Security Integration overview
- Out-of-band integration overview
- Monitor out-of-band integration