Using Packet Mirroring

Use Packet Mirroring to mirror traffic to and from particular VM instances. You can use the collected traffic to help you detect security threats and monitor application performance. For details about Packet Mirroring, see the Packet Mirroring overview.

The following sections describe how to create and manage packet mirroring policies.

Before you begin

Before you create a packet mirroring policy, you must have the appropriate permissions. You must also create an internal load balancer, which is the collector destination, in the same region as the instances to mirror.

Permissions

To create and manage packet mirroring policies, Google Cloud provides two roles that are related to Packet Mirroring:

  • compute.packetMirroringUser grants users permission to create, update, and delete packet mirroring policies. To use Packet Mirroring, users must have this role in projects where they create packet mirroring policies.

  • compute.packetMirroringAdmin grants users permission to mirror particular resources. Even if users have permission to create a packet mirroring policy, they still require permission to mirror related sources. Use this role in projects where the owner of a policy might not have any other permissions, for example, in Shared VPC scenarios.

For more information about using Cloud IAM roles, see Granting, changing, and revoking access to resources in the Cloud IAM documentation.

Internal load balancer

You must have an internal TCP/UDP load balancer that is configured for packet mirroring, and it must be located in the same region as the instances that you're mirroring. All traffic from mirrored sources is sent to the collector instances that are behind the load balancer.

To configure the internal load balancer for Packet Mirroring, the forwarding rule must be configured as a packet mirroring collector. Non-mirrored traffic that is sent to the load balancer is dropped. Also, if a packet mirroring policy might apply to the collector instances, Packet Mirroring ignores them and doesn't mirror their traffic.

For details about configuring internal load balancers, see configuring load balancer components.

Firewall rules

Mirrored traffic must be allowed to go from source instances to the destination instances that are part of the internal load balancer. You might already have existing rules that allows this traffic.

  • Check that mirrored instances have an egress rule that allows them to send traffic to forwarding rule of the internal load balancer.
  • Check that collector instances in the load balancer's instance group have an ingress rule that allows them to receive traffic from mirrored instances or from the IP address range of mirrored instances. For example, you can specify a source range 0.0.0.0/0 to collect all incoming traffic from mirrored instances. To prevent internet traffic from reaching the collector instances, assign only internal IP addresses to them.

If you don't have existing rules that allows this traffic, see Using firewall rules to create them.

Creating a packet mirroring policy

Create a packet mirroring policy to start mirroring traffic to and from particular instances.

Console

  1. Go to the Packet Mirroring page in the Google Cloud Console.
    Go to the Packet Mirroring page
  2. Click Create.
  3. Enter the following information about the policy, and then click Continue.

    1. Enter a name for the policy.
    2. Select the region that includes the mirrored sources and collector destination. The packet mirroring policy must be in the same region as the source and destination.
    3. Enter a priority for the policy. Google Cloud uses the priority value to determine which policy to use when multiple policies can apply.
    4. Select Enabled to activate the policy when you create it.
  4. Select the VPC networks where the mirrored source and collector destination are located, and then click Continue.

    The source and destination can be in the same or different VPC networks. If they are in the same VPC network, select Mirrored sources and destination are in the same VPC network, and then select the network. If they are in different networks, select Mirrored source and collector destination are in separete, peered VPC networks, and then select the mirrored source network and then the collector destination network.

  5. Select mirrored sources, and then click Continue. You can select one or more sources. Google Cloud mirrors any instance that matches at least one of your selected sources.

    • Subnets - select one ore more subnets. Google Cloud mirrors existing and future instances in selected subnets.
    • Network tag - specify one or more network tags. Google Cloud mirrors instances that have at least one of the specified tag.
    • Instance name - select specific instances to mirror.
  6. Select an internal load balancer that has been configured for Packet Mirroring, and then click Continue. Google Cloud sends mirrored traffic to instances that are behind the internal load balancer.

  7. If you want to limit what traffic is mirrored, select Mirror filtered traffic. By default, Google Cloud mirrors all traffic.

    You can choose to mirror traffic based on IP address ranges, protocols, or both.

  8. Click Submit to create the packet mirroring policy.

gcloud

Create a packet mirroring policy and specify one or more sources to mirror. Google Cloud mirrors any instance that matches at least one of your specified sources.

gcloud beta compute packet-mirrorings create policy-name \
  --region=region \
  --network=network-name \
  --collector-ilb=forwarding-rule-name \
  [--mirrored-subnets=subnet,[subnet,...]] \
  [--mirrored-tags=tag,[tag,...]] \
  [--mirrored-instances=instance,[instance,...]] \
  [--filter-cidr-ranges=address-range,[address-range,...]] \
  [--filter-protocols=protocol,[protocol,...]] \
  [--priority=priority-number]

Replace the placeholders with valid values:

  • policy-name is a name for the packet mirroring policy.
  • region is the region where the mirrored sources and collector destination are located.
  • network-name is the network where the mirrored sources are located.
  • forwarding-rule-name is the name of a forwarding rule that is configured as a mirroring collector. Google Cloud sends all mirrored traffic to the associated internal load balancer.
  • subnet is the name of a subnet to mirror. Google Cloud mirrors existing and future instances in the subnet.
  • tag is a network tag. Google Cloud mirrors instances that have the network tag.
  • instance is the fully qualified ID of an instance to mirror.
  • address-range is an IP address range (CIDR range) to mirror.
  • protocol is an IP address protocol to mirror (TCP, UDP, or ICMP).
  • priority-number is a number 0 through 65535. Google Cloud uses the priority value to determine which policy to use when multiple policies can apply.

For more information and descriptions for each flag, see the SDK reference documentation.

API

Create a packet mirroring policy and specify one or more sources to mirror. Google Cloud mirrors any instance that matches at least one of your specified sources.

POST https://compute.googleapis.com/compute/beta/projects/project-id/regions/region/packetMirrorings
{
  "name": "policy-name",
  "network": {
    "url": "network-url"
  },
  "priority": priority,
  "mirroredResources": {
    "subnetworks": [
      {
        "url": "subnet-url"
      }
    ],
    "tags": [
      "tag"
    ],
    "instances": [
      {
        "url": "instance"
      }
    ]
  },
  "collectorIlb": {
    "url": "forwarding-rule-url"
  },
  "filter": {
    "IPProtocols": [
      "protocol"
    ],
    "cidrRanges": [
      "address-range"
    ]
  }
}

Replace the placeholders with valid values:

  • project-id is the ID of the project where the policy is created.
  • policy-name is a name for the packet mirroring policy.
  • region is the region where the mirrored sources and collector destination are located.
  • network-url is the URL of the network where the mirrored sources are located.
  • forwarding-rule-url is the URL of a forwarding rule that is configured as a mirroring collector. Google Cloud sends all mirrored traffic to the associated internal load balancer.
  • subnet-url is the URL of a subnet to mirror. Google Cloud mirrors existing and future instances in the subnet.
  • tag is a network tag. Google Cloud mirrors instances that have the network tag.
  • instance is the fully qualified ID of an instance to mirror.
  • address-range is an IP address range (CIDR range) to mirror.
  • protocol is an IP address protocol to mirror (TCP, UDP, or ICMP).
  • priority-number is a number 0 through 65535. Google Cloud uses the priority value to determine which policy to use when multiple policies can apply.

For more information and descriptions for each field, refer to the packetmirrorings.insert method.

To verify that your packet mirroring policy is in effect, see Monitoring packet mirroring policies.

Modifying a packet mirroring policy

Update an existing policy to change its priority, mirrored sources, or collector destination.

Console

  1. Go to the Packet Mirroring page in the Google Cloud Console.
    Go to the Packet Mirroring page
  2. From the list of packet mirroring policies, click the one that you want to edit.
  3. On the policy details page, click Edit.
  4. Edit the fields that you want to update. The console follows the same flow as the when you create a policy. For information about each field, see Creating a packet mirroring policy

gcloud

Update an existing packet mirroring policy.

gcloud beta compute packet-mirrorings update policy-name \
  --region=region \
  [--collector-ilb=forwarding-rule-name] \
  [--mirrored-subnets=subnet,[subnet,...]] \
  [--mirrored-tags=tag,[tag,...]] \
  [--mirrored-instances=instance,[instance,...]] \
  [--filter-cidr-ranges=address-range,[address-range,...]] \
  [--filter-protocols=protocol,[protocol,...]]

Replace the placeholders with valid values:

  • policy-name is the name for the packet mirroring policy to modify.
  • region is the region where the policy is located.
  • forwarding-rule-name is the name of a forwarding rule that is configured as a collector. Google Cloud sends all mirrored traffic to the associated internal load balancer.
  • subnet is the name of a subnet to mirror. Google Cloud mirrors existing and future instances in the subnet.
  • tag is a network tag. Google Cloud mirrors instances that have the network tag.
  • instance is the fully qualified ID of an instance to mirror.
  • address-range is an IP address range (CIDR range) to mirror.
  • protocol is an IP address protocol to mirror (TCP, UDP, or ICMP).

For more information and descriptions for each flag, see the SDK reference documentation.

API

Update an existing packet mirroring policy.

PATCH https://compute.googleapis.com/compute/beta/projects/project-id/regions/region/packetMirrorings/policy-name
{
  "priority": priority,
  "mirroredResources": {
    "subnetworks": [
      {
        "url": "subnet-url"
      }
    ],
    "tags": [
      "tag"
    ],
    "instances": [
      {
        "url": "instance"
      }
    ]
  },
  "collectorIlb": {
    "url": "forwarding-rule-url"
  },
  "filter": {
    "IPProtocols": [
      "protocol"
    ],
    "cidrRanges": [
      "address-range"
    ]
  }
}

Replace the placeholders with valid values:

  • project-id is the ID of the project where the policy is located.
  • policy-name is the name of the packet mirroring policy to modify.
  • region is the region where policy is located.
  • forwarding-rule-url is the URL of a forwarding rule that is configured as a mirroring collector. Google Cloud sends all mirrored traffic to the associated internal load balancer.
  • subnet-url is the URL of a subnet to mirror. Google Cloud mirrors existing and future instances in the subnet.
  • tag is a network tag. Google Cloud mirrors instances that have the network tag.
  • instance is the fully qualified ID of an instance to mirror.
  • address-range is an IP address range (CIDR range) to mirror.
  • protocol is an IP address protocol to mirror (TCP, UDP, or ICMP).
  • priority-number is a number 0 through 65535. Google Cloud uses the priority value to determine which policy to use when multiple policies can apply.

For more information and descriptions for each field, refer to the packetmirrorings.patch method.

Listing packet mirroring policies

List packet mirroring policies to view existing policies.

Console

  1. Go to the Packet Mirroring page in the Google Cloud Console.
    Go to the Packet Mirroring page

    The Cloud Console list all of the policies in your project.

gcloud

List existing packet mirroring policies that are in your project or for a particular region.

gcloud beta compute packet-mirrorings list \
  [--filter="region:(region...)"]

Replace region with the name of the region that contains the policies to list.

For more information and descriptions for each flag, see the SDK reference documentation.

API

List existing packet mirroring policies that are in your project.

GET https://compute.googleapis.com/compute/beta/projects/project-id/aggregated/packetMirrorings

List existing packet mirroring policies for a particular region.

GET https://compute.googleapis.com/compute/beta/projects/project-id/regions/region/packetMirrorings

Replace the placeholders with valid values:

  • project-id is the ID of the project that contains the policies to list.
  • region is the region that contains the policies to list.

For more information and descriptions for each field, refer to the packetmirrorings.aggregatedList or packetmirrorings.list methods.

Describing a packet mirroring policy

View details of an existing packet mirroring policy to see, for example, its priority or filters.

Console

  1. Go to the Packet Mirroring page in the Google Cloud Console.
    Go to the Packet Mirroring page
  2. From the list of packet mirroring policies, select the one that you want to view.

    The Cloud Console shows the details of the policy that you selected.

gcloud

Describe an existing packet mirroring policy to view its details.

gcloud beta compute packet-mirrorings describe policy-name \
  --region=region \

Replace the placeholders with valid values:

  • policy-name is the name for the packet mirroring policy to describe.
  • region is the region where the policy is located.

For more information and descriptions for each flag, see the SDK reference documentation.

API

Describe an existing packet mirroring policy to view its details.

GET https://compute.googleapis.com/compute/beta/projects/project-id/regions/region/packetMirrorings/policy-name

Replace the placeholders with valid values:

  • project-id is the ID of the project where the policy is located.
  • policy-name is the name of the packet mirroring policy to describe.
  • region is the region where policy is located.

For more information and descriptions for each field, refer to the packetmirrorings.get method.

Disabling or enabling a packet mirroring policy

Disable or enable a packet mirroring policy to stop or start collecting mirrored traffic.

Console

  1. Go to the Packet Mirroring page in the Google Cloud Console.
    Go to the Packet Mirroring page
  2. From the list of packet mirroring policies, select the one to disable or enable.
  3. Click Disable or Enable.
  4. Confirm by clicking Disable or Enable

gcloud

Disable an existing packet mirroring policy.

gcloud beta compute packet-mirrorings update policy-name \
  --region=region \
  --no-enable

Enable an existing packet mirroring policy.

gcloud beta compute packet-mirrorings update policy-name \
  --region=region \
  --enable

Replace the placeholders with valid values:

  • policy-name is the name for the packet mirroring policy to disable or enable.
  • region is the region where the policy is located.

For more information and descriptions for each flag, see the SDK reference documentation.

API

Disable or enable an existing packet mirroring policy.

PATCH https://compute.googleapis.com/compute/beta/projects/project-id/regions/region/packetMirrorings/policy-name
{
  "enable": "FALSE|TRUE"
}

Replace the placeholders with valid values:

  • project-id is the ID of the project where the policy is located.
  • policy-name is the name of the packet mirroring policy to disable.
  • region is the region where policy is located.

For more information and descriptions for each field, refer to the packetmirrorings.patch method.

Deleting a packet mirroring policy

Delete a packet mirroring policy to remove it from your project. After you delete a policy, Google Cloud stops mirroring all traffic that is related to the policy.

Console

  1. Go to the Packet Mirroring page in the Google Cloud Console.
    Go to the Packet Mirroring page
  2. From the list of packet mirroring policies, select the one that you want to disable.
  3. Click Delete.
  4. Confirm by clicking Delete.

gcloud

Delete an existing packet mirroring policy.

gcloud beta compute packet-mirrorings delete policy-name \
  --region=region \

Replace the placeholders with valid values:

  • policy-name is the name for the packet mirroring policy to delete.
  • region is the region where the policy is located.

For more information and descriptions for each flag, see the SDK reference documentation.

API

Delete an existing packet mirroring policy.

DELETE https://compute.googleapis.com/compute/beta/projects/project-id/regions/region/packetMirrorings/policy-name

Replace the placeholders with valid values:

  • project-id is the ID of the project where the policy is located.
  • policy-name is the name of the packet mirroring policy to delete.
  • region is the region where policy is located.

For more information and descriptions for each field, refer to the packetmirrorings.delete method.

Troubleshooting

If your packet mirroring policy isn't collecting the intended mirrored traffic, check the following configurations:

  • Check that you have firewall rules that allow traffic from mirrored instances to the collector instances.

  • Check that your mirrored sources include or exclude the instances to mirror. For example, if you specify a subnet as a mirrored source, all existing and future instances in the subnet are mirrored. If you specify tags, only instances that have matching tags are mirrored.

  • Check that the packet mirroring filters aren't too broad or too narrow. You might have unintentionally configured filters to include or exclude certain traffic.