Using Packet Mirroring

Use Packet Mirroring to mirror traffic to and from particular VM instances. You can use the collected traffic to help you detect security threats and monitor application performance. For details about Packet Mirroring, see the Packet Mirroring overview.

Mirrored traffic is sent to VMs where you have installed appropriate software. See Packet mirroring partner providers for a list of vendors who supply software.

The following sections describe how to create and manage packet mirroring policies.

Before you begin

Before you create a packet mirroring policy, you must have the appropriate permissions. You must also create an internal TCP/UDP load balancer, which is the collector destination, in the same region as the instances to mirror.

Permissions

To create and manage packet mirroring policies, Google Cloud provides two roles that are related to Packet Mirroring:

  • compute.packetMirroringUser grants users permission to create, update, and delete packet mirroring policies. To use Packet Mirroring, users must have this role in projects where they create packet mirroring policies.

  • compute.packetMirroringAdmin grants users permission to mirror particular resources. Even if users have permission to create a packet mirroring policy, they still require permission to mirror related sources. Use this role in projects where the owner of a policy might not have any other permissions, for example, in Shared VPC scenarios.

For more information about using IAM roles, see Granting, changing, and revoking access to resources in the IAM documentation.

Internal load balancer

You must have an internal TCP/UDP load balancer that is configured for packet mirroring, and it must be located in the same region as the instances that you're mirroring. All traffic from mirrored sources is sent to the collector instances that are behind the load balancer.

To configure the internal TCP/UDP load balancer for Packet Mirroring, the forwarding rule must be configured as a packet mirroring collector. Non-mirrored traffic that is sent to the load balancer is dropped. Also, if a packet mirroring policy might apply to the collector instances, Packet Mirroring ignores them and doesn't mirror their traffic.

We recommend that you use an instance template and a managed instance group for the collector instances. A managed instance group provides autoscaling and autohealing capabilities to meet your traffic demands and availability requirements. If you use a managed instance group, do not rely on boot disks as persistent data. Back up your data in another central location to retain it.

For details about instance groups and internal TCP/UDP load balancers, see the following documentation: creating an instance template, creating a managed instance group, and configuring load balancer components.

Firewall rules

Mirrored traffic must be allowed to go from source instances to the destination instances that are part of the internal TCP/UDP load balancer. You might already have existing rules that allows this traffic.

  • Check that mirrored instances have an egress rule that allows them to send traffic to forwarding rule of the internal TCP/UDP load balancer.
  • Check that collector instances in the load balancer's instance group have an ingress rule that allows them to receive traffic from mirrored instances or from the IP address range of mirrored instances. For example, you can specify a source range 0.0.0.0/0 to collect all incoming traffic from mirrored instances. To prevent internet traffic from reaching the collector instances, assign only internal IP addresses to them.

If you don't have existing rules that allows this traffic, see Using firewall rules to create them.

Creating a packet mirroring policy

Create a packet mirroring policy to start mirroring traffic to and from particular instances.

Console

  1. Go to the Packet Mirroring page in the Google Cloud Console.
    Go to the Packet Mirroring page
  2. Click Create policy.
  3. Enter the following information about the policy, and then click Continue.

    1. Enter a name for the policy.
    2. Select the region that includes the mirrored sources and collector destination. The packet mirroring policy must be in the same region as the source and destination.
    3. Ignore the Priority field. It cannot be adjusted at present.
    4. Select Enabled to activate the policy when you create it.
  4. Select the VPC networks where the mirrored source and collector destination are located, and then click Continue.

    The source and destination can be in the same or different VPC networks. If they are in the same VPC network, select Mirrored sources and destination are in the same VPC network, and then select the network. If they are in different networks, select Mirrored source and collector destination are in separate, peered VPC networks, and then select the mirrored source network and then the collector destination network.

  5. Select mirrored sources, and then click Continue. You can select one or more sources. Google Cloud mirrors any instance that matches at least one of your selected sources.

    • Subnets - select one or more subnetworks. Google Cloud mirrors existing and future instances in selected subnets.
    • Network tag - specify one or more network tags. Google Cloud mirrors instances that have at least one of the specified tag.
    • Instance name - select specific instances to mirror.
  6. Select an internal TCP/UDP load balancer that has been configured for Packet Mirroring, and then click Continue. Google Cloud sends mirrored traffic to instances that are behind the internal TCP/UDP load balancer.

    For Shared VPC, if the collector destination and mirrored sources are in the same Shared VPC network, you must select the project where the collector destination is located and then you select a load balancer.

  7. If you want to limit what traffic is mirrored, select Mirror filtered traffic. By default, Google Cloud mirrors all traffic.

    You can choose to mirror traffic based on IP address ranges, protocols, traffic direction, or a combination.

  8. Click Submit to create the packet mirroring policy.

gcloud

Create a packet mirroring policy and specify one or more sources to mirror. Google Cloud mirrors any instance that matches at least one of your specified sources.

gcloud compute packet-mirrorings create POLICY_NAME \
  --region=REGION \
  --network=NETWORK_NAME \
  --collector-ilb=FORWARDING_RULE_NAME \
  [--mirrored-subnets=SUBNET,[SUBNET,...]] \
  [--mirrored-tags=TAG,[TAG,...]] \
  [--mirrored-instances=INSTANCE,[INSTANCE,...]] \
  [--filter-cidr-ranges=ADDRESS_RANGE,[ADDRESS_RANGE,...]] \
  [--filter-protocols=PROTOCOL,[PROTOCOL,...]] \
  [--filter-direction=DIRECTION]

Replace the placeholders with valid values:

  • POLICY_NAME is a name for the packet mirroring policy.
  • REGION is the region where the mirrored sources and collector destination are located.
  • NETWORK_NAME is the network where the mirrored sources are located.
  • FORWARDING_RULE_NAME is the name of a forwarding rule that is configured as a mirroring collector. Google Cloud sends all mirrored traffic to the associated internal TCP/UDP load balancer.
  • SUBNET is the name of a subnet to mirror. Google Cloud mirrors existing and future instances in the subnet.
  • TAG is a network tag. Google Cloud mirrors instances that have the network tag.
  • INSTANCE is the fully qualified ID of an instance to mirror.
  • ADDRESS_RANGE is an IP address range (CIDR range) to mirror.
  • PROTOCOL is an IP address protocol to mirror (TCP, UDP, or ICMP).
  • DIRECTION is the direction of the traffic to be mirrored relative to the VM. By default, this is set to BOTH, which means that both ingress and egress traffic is mirrored. You can restrict which packets are captured by specifying INGRESS to capture only ingress packets or EGRESS to capture only egress packets.

For more information and descriptions for each flag, see the SDK reference documentation.

API

Create a packet mirroring policy and specify one or more sources to mirror. Google Cloud mirrors any instance that matches at least one of your specified sources.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/packetMirrorings
{
  "name": "POLICY_NAME",
  "network": {
    "url": "NETWORK_URL"
  },
  "priority": PRIORITY,
  "mirroredResources": {
    "subnetworks": [
      {
        "url": "SUBNET_URL"
      }
    ],
    "tags": [
      "TAG"
    ],
    "instances": [
      {
        "url": "INSTANCE"
      }
    ]
  },
  "collectorIlb": {
    "url": "FORWARDING_RULE_URL"
  },
  "filter": {
    "IPProtocols": [
      "PROTOCOL"
    ],
    "cidrRanges": [
      "ADDRESS_RANGE"
    ]
  }
}

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project where the policy is created.
  • POLICY_NAME is a name for the packet mirroring policy.
  • REGION is the region where the mirrored sources and collector destination are located.
  • NETWORK_URL is the URL of the network where the mirrored sources are located.
  • FORWARDING_RULE_URL is the URL of a forwarding rule that is configured as a mirroring collector. Google Cloud sends all mirrored traffic to the associated internal TCP/UDP load balancer.
  • SUBNET_URL is the URL of a subnet to mirror. Google Cloud mirrors existing and future instances in the subnet.
  • TAG is a network tag. Google Cloud mirrors instances that have the network tag.
  • INSTANCE is the fully qualified ID of an instance to mirror.
  • ADDRESS_RANGE is an IP address range (CIDR range) to mirror.
  • PROTOCOL is an IP address protocol to mirror (TCP, UDP, or ICMP).

For more information and descriptions for each field, refer to the packetmirrorings.insert method.

To verify that your packet mirroring policy is in effect, see Monitoring packet mirroring policies.

Modifying a packet mirroring policy

Update an existing policy to change its mirrored sources or collector destination.

Console

  1. Go to the Packet Mirroring page in the Google Cloud Console.
    Go to the Packet Mirroring page
  2. From the list of packet mirroring policies, click the one that you want to edit.
  3. On the policy details page, click Edit.
  4. Edit the fields that you want to update. The console follows the same flow as the when you create a policy. For information about each field, see Creating a packet mirroring policy

gcloud

Update an existing packet mirroring policy.

gcloud compute packet-mirrorings update POLICY_NAME \
  --region=REGION \
  [--collector-ilb=FORWARDING_RULE_NAME] \
  [--mirrored-subnets=SUBNET,[SUBNET,...]] \
  [--mirrored-tags=TAG,[TAG,...]] \
  [--mirrored-instances=INSTANCE,[INSTANCE,...]] \
  [--filter-cidr-ranges=ADDRESS_RANGE,[ADDRESS_RANGE,...]] \
  [--filter-protocols=PROTOCOL,[PROTOCOL,...]]

Replace the placeholders with valid values:

  • POLICY_NAME is the name for the packet mirroring policy to modify.
  • REGION is the region where the policy is located.
  • FORWARDING_RULE_NAME is the name of a forwarding rule that is configured as a collector. Google Cloud sends all mirrored traffic to the associated internal TCP/UDP load balancer.
  • SUBNET is the name of a subnet to mirror. Google Cloud mirrors existing and future instances in the subnet.
  • TAG is a network tag. Google Cloud mirrors instances that have the network tag.
  • INSTANCE is the fully qualified ID of an instance to mirror.
  • ADDRESS_RANGE is an IP address range (CIDR range) to mirror.
  • PROTOCOL is an IP address protocol to mirror (TCP, UDP, or ICMP).

For more information and descriptions for each flag, see the SDK reference documentation.

API

Update an existing packet mirroring policy.

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/packetMirrorings/POLICY_NAME
{
  "priority": PRIORITY,
  "mirroredResources": {
    "subnetworks": [
      {
        "url": "SUBNET_URL"
      }
    ],
    "tags": [
      "TAG"
    ],
    "instances": [
      {
        "url": "INSTANCE"
      }
    ]
  },
  "collectorIlb": {
    "url": "FORWARDING_RULE_URL"
  },
  "filter": {
    "IPProtocols": [
      "PROTOCOL"
    ],
    "cidrRanges": [
      "ADDRESS_RANGE"
    ],
    "direction" : DIRECTION,
  }
}

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project where the policy is located.
  • POLICY_NAME is the name of the packet mirroring policy to modify.
  • REGION is the region where policy is located.
  • FORWARDING_RULE_URL is the URL of a forwarding rule that is configured as a mirroring collector. Google Cloud sends all mirrored traffic to the associated internal TCP/UDP load balancer.
  • SUBNET_URL is the URL of a subnet to mirror. Google Cloud mirrors existing and future instances in the subnet.
  • TAG is a network tag. Google Cloud mirrors instances that have the network tag.
  • INSTANCE is the fully qualified ID of an instance to mirror.
  • ADDRESS_RANGE is an IP address range (CIDR range) to mirror.
  • PROTOCOL is an IP address protocol to mirror (TCP, UDP, or ICMP).
  • DIRECTION is the direction of the traffic to mirror from the point of view of the VM. Valid values are INGRESS, which captures only inbound traffic, EGRESS, which captures only outbound traffic, or BOTH (default) which captures both inbound and outbound traffic.

For more information and descriptions for each field, refer to the packetmirrorings.patch method.

Listing packet mirroring policies

List packet mirroring policies to view existing policies.

Console

  1. Go to the Packet Mirroring page in the Google Cloud Console.
    Go to the Packet Mirroring page

    The Cloud Console list all of the policies in your project.

gcloud

List existing packet mirroring policies that are in your project or for a particular region.

gcloud compute packet-mirrorings list \
  [--filter="region:(REGION...)"]

Replace REGION with the name of the region that contains the policies to list.

For more information and descriptions for each flag, see the SDK reference documentation.

API

List existing packet mirroring policies that are in your project.

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/aggregated/packetMirrorings

List existing packet mirroring policies for a particular region.

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/packetMirrorings

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project that contains the policies to list.
  • REGION is the region that contains the policies to list.

For more information and descriptions for each field, refer to the packetmirrorings.aggregatedList or packetmirrorings.list methods.

Describing a packet mirroring policy

View details of an existing packet mirroring policy to see, for example, its filters.

Console

  1. Go to the Packet Mirroring page in the Google Cloud Console.
    Go to the Packet Mirroring page
  2. From the list of packet mirroring policies, select the one that you want to view.

    The Cloud Console shows the details of the policy that you selected.

gcloud

Describe an existing packet mirroring policy to view its details.

gcloud compute packet-mirrorings describe POLICY_NAME \
  --region=REGION \

Replace the placeholders with valid values:

  • POLICY_NAME is the name for the packet mirroring policy to describe.
  • REGION is the region where the policy is located.

For more information and descriptions for each flag, see the SDK reference documentation.

API

Describe an existing packet mirroring policy to view its details.

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/packetMirrorings/POLICY_NAME

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project where the policy is located.
  • POLICY_NAME is the name of the packet mirroring policy to describe.
  • REGION is the region where policy is located.

For more information and descriptions for each field, refer to the packetmirrorings.get method.

Disabling or enabling a packet mirroring policy

Disable or enable a packet mirroring policy to stop or start collecting mirrored traffic.

Console

  1. Go to the Packet Mirroring page in the Google Cloud Console.
    Go to the Packet Mirroring page
  2. From the list of packet mirroring policies, select the one to disable or enable.
  3. Click Disable or Enable.
  4. Confirm by clicking Disable or Enable

gcloud

Disable an existing packet mirroring policy.

gcloud compute packet-mirrorings update POLICY_NAME \
  --region=REGION \
  --no-enable

Enable an existing packet mirroring policy.

gcloud compute packet-mirrorings update POLICY_NAME \
  --region=REGION \
  --enable

Replace the placeholders with valid values:

  • POLICY_NAME is the name for the packet mirroring policy to disable or enable.
  • REGION is the region where the policy is located.

For more information and descriptions for each flag, see the SDK reference documentation.

API

Disable or enable an existing packet mirroring policy.

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/packetMirrorings/POLICY_NAME
{
  "enable": "FALSE|TRUE"
}

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project where the policy is located.
  • POLICY_NAME is the name of the packet mirroring policy to disable.
  • REGION is the region where policy is located.

For more information and descriptions for each field, refer to the packetmirrorings.patch method.

Deleting a packet mirroring policy

Delete a packet mirroring policy to remove it from your project. After you delete a policy, Google Cloud stops mirroring all traffic that is related to the policy.

Console

  1. Go to the Packet Mirroring page in the Google Cloud Console.
    Go to the Packet Mirroring page
  2. From the list of packet mirroring policies, select the one that you want to disable.
  3. Click Delete.
  4. Confirm by clicking Delete.

gcloud

Delete an existing packet mirroring policy.

gcloud compute packet-mirrorings delete POLICY_NAME \
  --region=REGION \

Replace the placeholders with valid values:

  • POLICY_NAME is the name for the packet mirroring policy to delete.
  • REGION is the region where the policy is located.

For more information and descriptions for each flag, see the SDK reference documentation.

API

Delete an existing packet mirroring policy.

DELETE https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/packetMirrorings/POLICY_NAME

Replace the placeholders with valid values:

  • PROJECT_ID is the ID of the project where the policy is located.
  • POLICY_NAME is the name of the packet mirroring policy to delete.
  • REGION is the region where policy is located.

For more information and descriptions for each field, refer to the packetmirrorings.delete method.

Troubleshooting

If your packet mirroring policy isn't collecting the intended mirrored traffic, check the following configurations:

  • Check that you have firewall rules that allow traffic from mirrored instances to the collector instances.

  • Check that your mirrored sources include or exclude the instances to mirror. For example, if you specify a subnet as a mirrored source, all existing and future instances in the subnet are mirrored. If you specify tags, only instances that have matching tags are mirrored.

  • Check that the packet mirroring filters aren't too broad or too narrow. You might have unintentionally configured filters to include or exclude certain traffic.