Security profile groups overview

A security profile group is a container for custom security profiles. A mirroring rule references a security profile group to enable the processing of network traffic within Network Security Integration.

This document provides a detailed overview of security profile groups and their capabilities.

Specifications

• A security profile group is an organizational level resource.

• You can add only one security profile of type CUSTOM_MIRRORING to a security profile group.

• Each security profile group is uniquely identified by a URL with the following elements:

  • Organization ID: ID of the organization.
  • Location: scope of the security profile group. Location is always set to global.
  • Name: security profile group name in the following format:
    • A string 1-63 characters long
    • Includes only lowercase alphanumeric characters or hyphens (-)
    • Must start with a letter

  To construct a unique URL identifier for a security profile group, use the following format:

  organization/ORGANIZATION_ID/locations/LOCATION/securityProfileGroups/SECURITY_PROFILE_GROUP_NAME
  

  Replace the following:

  • ORGANIZATION_ID: ID of the organization.

  • LOCATION: scope of the security profile group. Location is always set to global.

  • SECURITY_PROFILE_GROUP_NAME: the name of the security profile group.

  For example, a global security profile group example-security-profile-group in organization 2345678432 has the following unique identifier:

  organization/2345678432/locations/global/securityProfileGroups/example-security-profile-group
  

• A mirroring rule must contain the name of the security profile group to be used by the mirroring endpoints.

• Security profile groups apply to packet mirroring policies only when you add a mirroring rule with the action MIRROR. You can configure security profile groups in hierarchical firewall policy rules and global network firewall policy rules.

• Depending on the mirroring rule's flag direction, the rule affects both incoming and outgoing traffic within the Virtual Private Cloud (VPC) network. The mirrored traffic is then sent to the mirroring endpoint group defined in the security profile referenced by the configured security profile group. Subsequently, the mirroring endpoint group redirects the mirrored traffic to the producer deployment group attached by third-party deployments.

• Each security profile group must have an associated project ID. The associated project is used for quotas and access restrictions on security profile group resources. If you authenticate your service account by using the gcloud auth activate-service-account command, you can associate your service account with the security profile group. To learn more about how to create a security profile group, see Create and manage security profile groups.

Identity and Access Management roles

Identity and Access Management (IAM) roles govern the following security profile group actions:

• Creating a security profile group in an organization
• Modifying or deleting a security profile group
• Viewing details of a security profile group
• Viewing a list of security profile groups in an organization
• Using a security profile group in a packet mirroring policy rule

The following table describes the roles that are necessary for each step.

Ability	Necessary role
Create a security profile group	Compute Network Admin role (compute.networkAdmin) on the organization where the security profile group is created.
Modify a security profile group	Compute Network Admin role (compute.networkAdmin) on the organization where the security profile group is created.
View details about the security profile group in an organization	Any of the following roles for the organization: Compute Network Admin role (compute.networkAdmin) Compute Network User role (compute.networkUser) Compute Network Viewer role (compute.networkViewer)
View all of the security profile groups in an organization	Any of the following roles for the organization: Compute Network Admin role (compute.networkAdmin) Compute Network User role (compute.networkUser) Compute Network Viewer role (compute.networkViewer)
Use a security profile group in a packet mirroring policy rule	Any of the following roles for the organization: Compute Network Admin role (compute.networkAdmin) Compute Network User role (compute.networkUser)

If you don't have the Compute Network Admin role (roles/compute.networkAdmin), you can create security profile groups with the following permissions:

• networksecurity.securityProfileGroups.create
• networksecurity.securityProfileGroups.delete
• networksecurity.securityProfileGroups.get
• networksecurity.securityProfileGroups.list
• networksecurity.securityProfileGroups.update
• networksecurity.securityProfileGroups.use

For more information about IAM permissions and predefined roles, see IAM permissions reference.

Quotas

To view quotas associated with security profile groups, see Quotas and limits.

What's next

• Create and manage security profile groups
• Create and manage custom security profiles