Create and manage mirroring endpoint group associations

Create a mirroring endpoint group association to attach a mirroring endpoint group to a Virtual Private Cloud (VPC) network. You can create a mirroring endpoint group globally and associate it with one or more VPC networks to monitor workloads.

This page explains how to create and manage mirroring endpoint group associations by using the Google Cloud CLI.

Before you begin

• You need a VPC network and a subnet.

• You must enable the Compute Engine API in your Google Cloud project.

• You must enable the Network Security API in your Google Cloud project.

• Install the gcloud CLI if you want to run the gcloud command-line examples in this guide.

• You must have a mirroring endpoint group.

Roles

To get the permissions that you need to create, view, or delete mirroring endpoint group associations, ask your administrator to grant you the necessary Identity and Access Management (IAM) roles on your project. For more information about granting roles, see Manage access to projects, folders, and organizations.

To check the progress of the operations listed on this page, make sure that your user role has the following Mirroring Endpoint Admin role (roles/networksecurity.mirroringAdmin) and Mirroring Endpoint Network Admin (roles/networksecurity.mirroringEndpointNetworkAdmin) role permissions:

• networksecurity.mirroringEndpointGroupAssociations.create
• networksecurity.mirroringEndpointGroupAssociations.delete
• networksecurity.mirroringEndpointGroupAssociations.update
• networksecurity.mirroringEndpointGroupAssociations.get
• networksecurity.mirroringEndpointGroupAssociations.list

Quotas

To view quotas associated with mirroring endpoint group associations, see Quotas and limits.

Create mirroring endpoint group associations

You can associate one or more VPC networks to a specific mirroring endpoint group in the same zone.

In the create and manage mirroring endpoint group section you created a mirroring endpoint group where the network traffic inspection can happen for the mirrored traffic. However, you still need to specify which VPCs' traffic can be inspected. To do this, you create a project-level mirroring endpoint group association.

 gcloud beta network-security mirroring-endpoint-group-associations \
     create ENDPOINT_GROUP_ASSOCIATION \
     --location global \
     --project PROJECT_NAME \
     --network NETWORK \
     --mirroring-endpoint-group ENDPOINT_GROUP \
     --no-async

View mirroring endpoint associations

You can view the details of a specific mirroring endpoint group association in a zone.

 gcloud beta network-security mirroring-endpoint-group-associations \
     describe ENDPOINT_GROUP_ASSOCIATION \
     --location global \
     --project PROJECT_NAME

List mirroring endpoint group associations

You can list the mirroring endpoint group associations for a network, a project, or a mirroring endpoint group.

 gcloud beta network-security mirroring-endpoint-group-associations list \
     --project PROJECT_NAME \
     --network NETWORK

Delete a mirroring endpoint group association

You can delete a mirroring endpoint group association for a specific VPC network.

 gcloud beta network-security mirroring-endpoint-group-associations \
     delete ENDPOINT_GROUP_ASSOCIATION \
     --location global \
     --project PROJECT_NAME \
     --no-async

What's next

• Mirroring endpoint groups overview
• Out-of-band integration overview
• Create and manage mirroring endpoint group associations