Set up producer services

To enable producer service in your network, you must set up the producer services such as mirroring deployment groups and mirroring deployments. This document provides a high-level workflow that describes how to configure these components.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Google Cloud project.

  4. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  5. Make sure that billing is enabled for your Google Cloud project.

  6. Make sure that you have the following Identity and Access Management (IAM) roles on your project:
    • Compute Network Admin role (roles/compute.networkAdmin)
    • Mirroring Deployment Admin role (roles/networksecurity.mirroringDeploymentAdmin)

  7. Enable the Compute Engine and Network Security APIs.

    Enable the APIs

  8. Make sure to install the Google Cloud CLI. For the conceptual and installation information about the tool, see gcloud CLI overview.

    Note: If you haven't run the Google Cloud CLI previously, initialize your gcloud CLI directory by running the gcloud init command.

Configure producer compute resources

To configure producer compute resources in your network, perform the following tasks:

  1. Create a Virtual Private Cloud (VPC) network that contains the producer deployment groups and deployments. For more information, see Create networks.

  2. Create an instance template and specify the machine type, boot disk image, VPC network, and other properties for your third-party appliances. You can then use the instance template to create a managed instance group. For more information, see Create instance templates.

  3. Create managed instance groups (MIGs) and deploy your third-party appliances on multiple identical VMs in a specific zone. For more information, see Create a MIG in a single zone.

  4. Create health checks to monitor whether load balancer backends respond to traffic. For more information, see Create health checks.

  5. Create the backend service with the third-party appliance instance groups that you created in the previous step.

    To create backend services with an internal passthrough Network Load Balancer, follow these steps:

    1. Create the backend service with the protocol set to UDP. For more information, see Create an internal load balancer for Packet Mirroring.

    2. Add the VM instance group to the backend service. A backend service is necessary for creating an internal passthrough Network Load Balancer. For more information, see Add a managed instance group to a backend service.

    3. Create an internal forwarding rule for the backend service to forward mirrored traffic that originates from the consumer VPC network. For more information, see Create an internal load balancer for Packet Mirroring.

    4. Create or add a firewall rule in your network firewall policy that allows UDP traffic to your VMs on port 6081. For more information, see Create global network firewall rules.

Create an internal load balancer for Packet Mirroring

To enable Packet Mirroring, you need an internal passthrough Network Load Balancer that can serve as a packet mirroring producer. The internal passthrough Network Load Balancer must meet the following requirements:

  • The internal passthrough Network Load Balancer's forwarding rule must have Packet Mirroring enabled when the rule is created. This status can't be changed after the rule is created. While the forwarding rule only accepts IPv4 traffic, the mirrored traffic that is Geneve-encapsulated can be IPv4 or IPv6.
  • The internal passthrough Network Load Balancer and the instances you're mirroring must be in the same region.
  • The internal passthrough Network Load Balancer's backend service uses a session affinity of NONE (5-tuple hash).
  • The backend subsetting of the internal passthrough Network Load Balancer's backend service is disabled.

If your producer instances are not set up to respond to the health check configured for your backend service, the health check might fail. However, packet mirroring continues in this scenario.

To create an internal passthrough Network Load Balancer for Packet Mirroring, follow these steps.

Console

Start your configuration

  1. In the Google Cloud console, go to the Load balancing page.

    Go to Load balancing

  2. Click Create load balancer.
  3. For Type of load balancer, select Network Load Balancer (TCP/UDP/SSL) and click Next.
  4. For Proxy or passthrough, select Passthrough load balancer and click Next.
  5. For Public facing or internal, select Internal and click Next.
  6. Click Configure.

Basic configuration

  1. On the Create internal passthrough Network Load Balancer page, enter the following information:

    1. For Load balancer name, enter a name.
    2. For Region, select the region of the VM instances where you want to mirror packets.
    3. For Network, select the network where you want to mirror packets.

Configure the backends

  1. Click Backend configuration.
  2. For Backend type, select Instance group.
  3. From the Protocol list, select UDP.
  4. In the New Backend section, from Instance group list, select the instance group to forward packets to.

  5. In the New Backend section, do the following:

    1. Select the IP stack type.
    2. From Instance group list, select the instance group to forward packets to.
    3. Click Done.

    Note that when you use the Google Cloud console to create your load balancer, the health check is global. If you want to create a regional health check, use gcloud or the API.

Configure the frontend

  1. On the Create internal passthrough Network Load Balancer page, click Frontend configuration.
  2. In the New Frontend IP and port section, do the following:
    1. For Name, enter a name.
    2. For Subnetwork, select a subnetwork in the same region as the instances to mirror.
    3. For Ports, select Single and then in Port numbers, enter 6081.
    4. Click Advanced configurations and select the Enable this load balancer for packet mirroring.
    5. Click Done.

Review the configuration

  1. On the Create internal passthrough Network Load Balancer page, click Review and finalize.
  2. Review your load balancer configuration settings.
  3. Click Create.

gcloud

  1. Create a new regional HTTP health check to test HTTP connectivity to an instance group:

    gcloud compute health-checks create http HEALTH_CHECK_NAME \
    --region REGION \
    --port PORT

    Replace the following:

    • HEALTH_CHECK_NAME: the name of the health check.
    • REGION: the region of the VM instances for which you want to mirror packets.
    • PORT: The port number that the health check monitors. If none is specified, the default port of 80 is used.

  2. Create a backend service for HTTP traffic:

    gcloud compute backend-services create COLLECTOR_BACKEND_SERVICE \
    --region=REGION \
    --health-checks-region=REGION \
    --health-checks=HEALTH_CHECK_NAME \
    --load-balancing-scheme=internal \
    --protocol=udp

    Replace the following:

    • COLLECTOR_BACKEND_SERVICE: the name of the backend service.
    • REGION: the region of the VM instances where you want to mirror packets.
    • HEALTH_CHECK_NAME: the name of the health check.

  3. Add an instance group to the backend service:

    gcloud compute backend-services add-backend COLLECTOR_BACKEND_SERVICE \
    --region=REGION \
    --instance-group=INSTANCE_GROUP \
    --instance-group-zone=ZONE

    Replace the following:

    • COLLECTOR_BACKEND_SERVICE: the name of the backend service.
    • REGION: the region of the instance group.
    • INSTANCE_GROUP: the name of the instance group.
    • ZONE: the zone of the instance group.

  4. Create a forwarding rule for the backend service:

    gcloud compute forwarding-rules create FORWARDING_RULE_NAME \
    --region REGION \
    --load-balancing-scheme=internal \
    --network NETWORK \
    --subnet SUBNET \
    --address=ADDRESS \
    --ports=6081 \
    --ip-protocol=UDP \
    --backend-service COLLECTOR_BACKEND_SERVICE \
    --backend-service-region BACKEND_REGION \
    --is-mirroring-collector=true

    Replace the following:

    • FORWARDING_RULE_NAME: the name of the forwarding rule.
    • REGION: the region for the forwarding rule.
    • NETWORK: the network for the forwarding rule.
    • SUBNET: a subnetwork in the region of the VMs where you want to mirror packets.
    • ADDRESS: the IP address that the forwarding rule serves. When the mirrored traffic reaches the collector VMs, this value is set as the destination IP address.
    • COLLECTOR_BACKEND_SERVICE: the backend service for the load balancer.
    • BACKEND_REGION: the region of the backend service.

Configure producer mirroring resources

To configure producer mirroring resources, such as mirroring deployment groups and mirroring deployments in your network, do the following:

  1. Create a mirroring deployment group to represent a producer's mirroring service that the consumers can connect to. For more information, see Create and manage mirroring deployment groups.

  2. Create mirroring deployments in every zone where you want to expose the backend service through Network Security Integration. These are the same backend services that you created in the previous step. For more information, see Create and manage mirroring deployments.

  3. By default, a mirroring deployment group and mirroring deployment are secured against traffic from unknown consumers. To allow a consumer to attach to the mirroring deployment group, make sure that you have the Mirroring Deployment Admin role (networksecurity.mirroringDeploymentGroups.use) on the producer's project. The Mirroring Deployment User role (roles/networksecurity.mirroringDeploymentUser) is included by default when you have have the Mirroring Deployment Admin role.

What's next