Set up producer services

To enable producer service in your network, you must set up the producer services such as mirroring deployment groups and mirroring deployments. This document provides a high-level workflow that describes how to configure these components.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Google Cloud project.

  4. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  5. Make sure that billing is enabled for your Google Cloud project.

  6. Make sure that you have the following Identity and Access Management (IAM) roles on your project:
    • Compute Network Admin role (roles/compute.networkAdmin)
    • Mirroring Deployment Admin role (roles/networksecurity.mirroringDeploymentAdmin)
  7. Enable the Compute Engine and Network Security APIs.

    Enable the APIs

  8. Make sure to install the Google Cloud CLI. For the conceptual and installation information about the tool, see gcloud CLI overview.

    Note: If you haven't run the Google Cloud CLI previously, initialize your gcloud CLI directory by running the gcloud init command.

Configure producer compute resources

To configure producer compute resources in your network, perform the following tasks:

  1. Create a Virtual Private Cloud (VPC) network that contains the producer deployment groups and deployments. For more information, see Create networks.

  2. Create an instance template and specify the machine type, boot disk image, VPC network, and other properties for your third-party appliances. You can then use the instance template to create a managed instance group. For more information, see Create instance templates.

  3. Create managed instance groups (MIGs) and deploy your third-party appliances on multiple identical VMs in a specific zone. For more information, see Create a MIG in a single zone.

  4. Create health checks to monitor whether load balancer backends respond to traffic. For more information, see Create health checks.

  5. Create the backend service with the third-party appliance instance groups that you created in the previous step.

    To create backend services with an internal passthrough Network Load Balancer follow these steps:

    1. Create the backend service with the protocol set to UNSPECIFIED. For more information, see Configure load balancer components.

    2. Add the VM instance group to the backend services. A backend service is necessary for creating an internal passthrough Network Load Balancer. For more information, see Add a managed instance group to a backend service.

    3. Create internal forwarding rules for the backend service to forward mirrored traffic that originates from a producer VPC network. For more information, see the gcloud compute forwarding-rules create command.

    4. Create or add a firewall rule in your network firewall policy that allows UDP traffic to your VMs on port 6081. For more information, see Create global network firewall rules.

Create an internal load balancer for Packet Mirroring

To enable Packet Mirroring, you need an internal passthrough Network Load Balancer that can serve as a packet mirroring producer. The internal passthrough Network Load Balancer must meet the following requirements:

  • Packet Mirroring must be enabled on the forwarding rule. The forwarding rule lets you handle both IPv4 and IPv6 traffic. You enable Packet Mirroring when you create the forwarding rule. You cannot change this status after the rule is created. For more information, see Create a load balancer for Packet Mirroring.
  • The internal passthrough Network Load Balancer and the instances you're mirroring are in the same region.
  • The internal passthrough Network Load Balancer's backend service uses a session affinity of NONE (5-tuple hash).
  • The backend subsetting of the internal passthrough Network Load Balancer's backend service is disabled.

If your producer instances are not set up to respond to the health check configured for your backend service, the health check might fail. However, packet mirroring continues in this scenario.

For more information about how to create an internal passthrough Network Load Balancer for Packet Mirroring, see Creating a load balancer for Packet Mirroring.

Configure producer mirroring resources

To configure producer mirroring resources, such as mirroring deployment groups and mirroring deployments in your network, do the following:

  1. Create a mirroring deployment group to represent a producer's mirroring service that the consumers can connect to. For more information, see Create and manage mirroring deployment groups.

  2. Create mirroring deployments in every zone where you want to expose the backend service through Network Security Integration. These are the same backend services that you created in the previous step. For more information, see Create and manage mirroring deployments.

  3. By default, a mirroring deployment group and mirroring deployment are secured against traffic from unknown consumers. To allow a consumer to attach to the mirroring deployment group, make sure that you have the Mirroring Deployment Admin role (networksecurity.mirroringDeploymentGroups.use) on the producer's project. The Mirroring Deployment User role (roles/networksecurity.mirroringDeploymentUser) is included by default when you have have the Mirroring Deployment Admin role.

What's next