Create and manage mirroring rules

This page describes how to create and manage mirroring rules by using the Google Cloud CLI. Before you create a packet mirroring rule, you must create an endpoint group and endpoint group associations. For more information, see Set up consumer services.

Create and manage mirroring rules for network firewall policies

In this section, learn how to create and manage mirroring rules for global network firewall policies by using the gcloud CLI.

Create mirroring rule

Create a packet mirroring rule in a network firewall policy.

gcloud

To create a mirroring rule in a network firewall policy, use the gcloud beta compute network-firewall-policies mirroring-rules create command:

 gcloud beta compute network-firewall-policies mirroring-rules create PRIORITY \
     --action ACTION \
     --firewall-policy FIREWALL_POLICY \
     --global-firewall-policy \
     --security-profile-group SECURITY_PROFILE_GROUP \
     --description DESCRIPTION \
     --direction DIRECTION \
     --layer4-configs LAYER4_CONIFG \
     --src-ip-ranges SRC_IP_RANGE \
     --dest-ip-ranges DEST_IP_RANGE

Replace the following:

  • PRIORITY: the priority of the rule to add.

  • ACTION: the action to take if the request matches the match condition. ACTION must be mirror or do_not_mirror.

  • FIREWALL_POLICY: the firewall policy ID with which to create a rule.

  • SECURITY_PROFILE_GROUP: the name of the security profile group that has a CUSTOM_MIRRORING security profile and is used with mirror action.

  • DESCRIPTION: an optional description for the mirroring rule.

  • DIRECTION: indicates whether the rule is an ingress or egress rule. If the direction is not specified, it defaults to applying the rule on incoming traffic. For incoming traffic, you cannot specify destination ranges. For outbound traffic, you cannot specify source ranges or source tags.

  • LAYER4_CONFIG: a list of destination protocols and ports to which the firewall rule applies.

  • SRC_IP_RANGE: the source IP ranges. This is only specified if DIRECTION is ingress.

  • DEST_IP_RANGE: the destination IP ranges. This is only specified if DIRECTION is egress.

Delete mirroring rule

Delete the packet mirroring rule at the specified priority.

gcloud

To delete a mirroring rule from a network firewall policy, use the gcloud beta compute network-firewall-policies mirroring-rules delete command:

 gcloud beta compute network-firewall-policies mirroring-rules delete PRIORITY \
     --firewall-policy FIREWALL_POLICY \
     --global-firewall-policy

Replace the following:

  • PRIORITY: the priority of the rule to delete

  • FIREWALL_POLICY: the firewall policy ID with which to delete a rule

Describe mirroring rule

Describe the network firewall policy mirroring rule at the specified priority.

gcloud

To describe a mirroring rule in a network firewall policy, use the gcloud beta compute network-firewall-policies mirroring-rules describe command:

 gcloud beta compute network-firewall-policies mirroring-rules describe PRIORITY \
     --firewall-policy FIREWALL_POLICY \
     --global-firewall-policy

Replace the following:

  • PRIORITY: the priority of the rule to describe

  • FIREWALL_POLICY: the firewall policy ID with which to describe the rule

Update mirroring rule

Update a mirroring rule in a network firewall policy.

gcloud

To update a mirroring rule in a network firewall policy, use the gcloud beta compute network-firewall-policies mirroring-rules update command:

 gcloud beta compute network-firewall-policies mirroring-rules update PRIORITY \
     --action ACTION \
     --firewall-policy FIREWALL_POLICY \
     --global-firewall-policy \
     --security-profile-group SECURITY_PROFILE_GROUP \
     --description DESCRIPTION \
     --direction DIRECTION \
     --layer4-configs LAYER4_CONIFG \
     --src-ip-ranges SRC_IP_RANGE \
     --dest-ip-ranges DEST_IP_RANGE

Replace the following:

  • PRIORITY: the priority of the rule to update.

  • ACTION: the action to take if the request matches the match condition. ACTION must be mirror or do_not_mirror.

  • FIREWALL_POLICY: the firewall policy ID with which to update a rule.

  • SECURITY_PROFILE_GROUP: the name of the security profile group that has a CUSTOM_MIRRORING security profile or whether ACTION is mirror.

  • DESCRIPTION: an optional description for the mirroring rule.

  • DIRECTION: indicates whether the rule is an ingress or egress rule. If the direction is not specified, it defaults to applying the rule on incoming traffic. For incoming traffic, you cannot specify destination ranges. For outbound traffic, you cannot specify source ranges or source tags.

  • LAYER4_CONFIG: a list of destination protocols and ports to which the firewall rule will apply.

  • SRC_IP_RANGE: the source IP ranges. This is only specified if DIRECTION is ingress.

  • DEST_IP_RANGE: the destination IP ranges. This is only specified if DIRECTION is egress.

What's next