Security profiles help you define the behavior of the Network Security Integration service on your network traffic. They are generic policy structures that are used to identify the endpoint group associated with the Virtual Private Cloud (VPC) network. A security profile in a mirroring rule uses the mirroring endpoint groups as the target of the selected traffic.
This document provides a detailed overview of security profiles and their capabilities.
Specifications
A security profile is an organizational level resource.
Network Security Integration supports security profiles of type
CUSTOM_MIRRORING.Each security profile is uniquely identified by a URL with the following elements:
- Organization ID: ID of the organization.
- Location: scope of the security profile. Location is always
set to
global. - Name: security profile name in the following format:
- A string 1-63 characters long
- Includes only lowercase alphanumeric characters or hyphens (-)
- Must start with a letter
To construct a unique URL identifier for a security profile, use the following format:
organization/ORGANIZATION_ID/locations/LOCATION/securityProfiles/SECURITY_PROFILE_NAMEReplace the following:
ORGANIZATION_ID: ID of the organization.LOCATION: scope of the security profile. Location is always set toglobal.SECURITY_PROFILE_NAME: the name of the security profile.
For example, a
globalsecurity profileexample-security-profilein organization2345678432has the following unique identifier:organization/2345678432/locations/global/securityProfiles/example-security-profileAfter you create a security profile, you have the option to attach it to a security profile group. This security profile group is referenced by the network firewall policy of the VPC network where you want to process your network traffic within Network Security Integration.
Traffic that matches the network firewall policy rule is sent to the endpoint group referenced by the security profile.
Each security profile must have an associated project ID. The associated project is used for quotas and access restrictions on security profile resources. If you authenticate your service account by using the
gcloud auth activate-service-accountcommand, you can associate your service account with the security profile. To learn more about how to create a security profile, see Create and manage custom security profiles.
Identity and Access Management roles
Identity and Access Management (IAM) roles govern the following security profiles actions:
- Creating a custom security profile in an organization
- Modifying or deleting a custom security profile
- Viewing details of a custom security profile
- Viewing a list of custom security profiles in an organization
- Using a custom security profile in a security profile group
The following table describes the roles that are necessary for each step.
| Ability | Necessary role |
|---|---|
| Create a custom security profile | Compute Network Admin role (compute.networkAdmin)
on the organization where the custom security profile is created. |
| Modify a custom security profile | Compute Network Admin role (compute.networkAdmin)
on the organization where the custom security profile is created. |
| View details about the custom security profile in an organization | Any of the following roles for the organization:
|
| View all of the custom security profiles in an organization | Any of the following roles for the organization:
|
| Use a custom security profile in a security profile group | Any of the following roles for the organization:
|
If you don't have the
Compute Network Admin role
(roles/compute.networkAdmin), you can create custom security profile with the
following permissions:
networksecurity.securityProfiles.createnetworksecurity.securityProfiles.deletenetworksecurity.securityProfiles.getnetworksecurity.securityProfiles.listnetworksecurity.securityProfiles.updatenetworksecurity.securityProfiles.use
For more information about the IAM permissions and the predefined roles, see IAM permissions reference.
Quotas
To view quotas associated with custom security profiles, see Quotas and limits.