Use Packet Mirroring to mirror traffic to and from particular VM instances. You can use the collected traffic to help you detect security threats and monitor application performance. For details about Packet Mirroring, see the Packet Mirroring overview.
The following sections describe how to create and manage packet mirroring policies.
Before you begin
Before you create a packet mirroring policy, you must have the appropriate permissions. You must also create an internal load balancer, which is the collector destination, in the same region as the instances to mirror.
Permissions
To create and manage packet mirroring policies, Google Cloud provides two roles that are related to Packet Mirroring:
compute.packetMirroringUsergrants users permission to create, update, and delete packet mirroring policies. To use Packet Mirroring, users must have this role in projects where they create packet mirroring policies.compute.packetMirroringAdmingrants users permission to mirror particular resources. Even if users have permission to create a packet mirroring policy, they still require permission to mirror related sources. Use this role in projects where the owner of a policy might not have any other permissions, for example, in Shared VPC scenarios.
For more information about using Cloud IAM roles, see Granting, changing, and revoking access to resources in the Cloud IAM documentation.
Internal load balancer
You must have an internal TCP/UDP load balancer that is configured for packet mirroring, and it must be located in the same region as the instances that you're mirroring. All traffic from mirrored sources is sent to the collector instances that are behind the load balancer.
To configure the internal load balancer for Packet Mirroring, the forwarding rule must be configured as a packet mirroring collector. Non-mirrored traffic that is sent to the load balancer is dropped. Also, if a packet mirroring policy might apply to the collector instances, Packet Mirroring ignores them and doesn't mirror their traffic.
For details about configuring internal load balancers, see configuring load balancer components.
Firewall rules
Mirrored traffic must be allowed to go from source instances to the destination instances that are part of the internal load balancer. You might already have existing rules that allows this traffic.
- Check that mirrored instances have an egress rule that allows them to send traffic to forwarding rule of the internal load balancer.
- Check that collector instances in the load balancer's instance group have an
ingress rule that allows them to receive traffic from mirrored instances or
from the IP address range of mirrored instances. For example, you can specify
a source range
0.0.0.0/0to collect all incoming traffic from mirrored instances. To prevent internet traffic from reaching the collector instances, assign only internal IP addresses to them.
If you don't have existing rules that allows this traffic, see Using firewall rules to create them.
Creating a packet mirroring policy
Create a packet mirroring policy to start mirroring traffic to and from particular instances.
Console
- Go to the Packet Mirroring page in the Google Cloud Console.
Go to the Packet Mirroring page - Click Create.
Enter the following information about the policy, and then click Continue.
- Enter a name for the policy.
- Select the region that includes the mirrored sources and collector destination. The packet mirroring policy must be in the same region as the source and destination.
- Enter a priority for the policy. Google Cloud uses the priority value to determine which policy to use when multiple policies can apply.
- Select Enabled to activate the policy when you create it.
Select the VPC networks where the mirrored source and collector destination are located, and then click Continue.
The source and destination can be in the same or different VPC networks. If they are in the same VPC network, select Mirrored sources and destination are in the same VPC network, and then select the network. If they are in different networks, select Mirrored source and collector destination are in separete, peered VPC networks, and then select the mirrored source network and then the collector destination network.
Select mirrored sources, and then click Continue. You can select one or more sources. Google Cloud mirrors any instance that matches at least one of your selected sources.
- Subnets - select one ore more subnets. Google Cloud mirrors existing and future instances in selected subnets.
- Network tag - specify one or more network tags. Google Cloud mirrors instances that have at least one of the specified tag.
- Instance name - select specific instances to mirror.
Select an internal load balancer that has been configured for Packet Mirroring, and then click Continue. Google Cloud sends mirrored traffic to instances that are behind the internal load balancer.
If you want to limit what traffic is mirrored, select Mirror filtered traffic. By default, Google Cloud mirrors all traffic.
You can choose to mirror traffic based on IP address ranges, protocols, or both.
Click Submit to create the packet mirroring policy.
gcloud
Create a packet mirroring policy and specify one or more sources to mirror. Google Cloud mirrors any instance that matches at least one of your specified sources.
gcloud beta compute packet-mirrorings create policy-name \ --region=region \ --network=network-name \ --collector-ilb=forwarding-rule-name \ [--mirrored-subnets=subnet,[subnet,...]] \ [--mirrored-tags=tag,[tag,...]] \ [--mirrored-instances=instance,[instance,...]] \ [--filter-cidr-ranges=address-range,[address-range,...]] \ [--filter-protocols=protocol,[protocol,...]] \ [--priority=priority-number]
Replace the placeholders with valid values:
- policy-name is a name for the packet mirroring policy.
- region is the region where the mirrored sources and collector destination are located.
- network-name is the network where the mirrored sources are located.
- forwarding-rule-name is the name of a forwarding rule that is configured as a mirroring collector. Google Cloud sends all mirrored traffic to the associated internal load balancer.
- subnet is the name of a subnet to mirror. Google Cloud mirrors existing and future instances in the subnet.
- tag is a network tag. Google Cloud mirrors instances that have the network tag.
- instance is the fully qualified ID of an instance to mirror.
- address-range is an IP address range (CIDR range) to mirror.
- protocol is an IP address protocol to mirror (TCP, UDP, or ICMP).
- priority-number is a number
0through65535. Google Cloud uses the priority value to determine which policy to use when multiple policies can apply.
For more information and descriptions for each flag, see the SDK reference documentation.
API
Create a packet mirroring policy and specify one or more sources to mirror. Google Cloud mirrors any instance that matches at least one of your specified sources.
POST https://compute.googleapis.com/compute/beta/projects/project-id/regions/region/packetMirrorings
{
"name": "policy-name",
"network": {
"url": "network-url"
},
"priority": priority,
"mirroredResources": {
"subnetworks": [
{
"url": "subnet-url"
}
],
"tags": [
"tag"
],
"instances": [
{
"url": "instance"
}
]
},
"collectorIlb": {
"url": "forwarding-rule-url"
},
"filter": {
"IPProtocols": [
"protocol"
],
"cidrRanges": [
"address-range"
]
}
}
Replace the placeholders with valid values:
- project-id is the ID of the project where the policy is created.
- policy-name is a name for the packet mirroring policy.
- region is the region where the mirrored sources and collector destination are located.
- network-url is the URL of the network where the mirrored sources are located.
- forwarding-rule-url is the URL of a forwarding rule that is configured as a mirroring collector. Google Cloud sends all mirrored traffic to the associated internal load balancer.
- subnet-url is the URL of a subnet to mirror. Google Cloud mirrors existing and future instances in the subnet.
- tag is a network tag. Google Cloud mirrors instances that have the network tag.
- instance is the fully qualified ID of an instance to mirror.
- address-range is an IP address range (CIDR range) to mirror.
- protocol is an IP address protocol to mirror (TCP, UDP, or ICMP).
- priority-number is a number
0through65535. Google Cloud uses the priority value to determine which policy to use when multiple policies can apply.
For more information and descriptions for each field, refer to the
packetmirrorings.insert method.
To verify that your packet mirroring policy is in effect, see Monitoring packet mirroring policies.
Modifying a packet mirroring policy
Update an existing policy to change its priority, mirrored sources, or collector destination.
Console
- Go to the Packet Mirroring page in the Google Cloud Console.
Go to the Packet Mirroring page - From the list of packet mirroring policies, click the one that you want to edit.
- On the policy details page, click Edit.
- Edit the fields that you want to update. The console follows the same flow as the when you create a policy. For information about each field, see Creating a packet mirroring policy
gcloud
Update an existing packet mirroring policy.
gcloud beta compute packet-mirrorings update policy-name \ --region=region \ [--collector-ilb=forwarding-rule-name] \ [--mirrored-subnets=subnet,[subnet,...]] \ [--mirrored-tags=tag,[tag,...]] \ [--mirrored-instances=instance,[instance,...]] \ [--filter-cidr-ranges=address-range,[address-range,...]] \ [--filter-protocols=protocol,[protocol,...]]
Replace the placeholders with valid values:
- policy-name is the name for the packet mirroring policy to modify.
- region is the region where the policy is located.
- forwarding-rule-name is the name of a forwarding rule that is configured as a collector. Google Cloud sends all mirrored traffic to the associated internal load balancer.
- subnet is the name of a subnet to mirror. Google Cloud mirrors existing and future instances in the subnet.
- tag is a network tag. Google Cloud mirrors instances that have the network tag.
- instance is the fully qualified ID of an instance to mirror.
- address-range is an IP address range (CIDR range) to mirror.
- protocol is an IP address protocol to mirror (TCP, UDP, or ICMP).
For more information and descriptions for each flag, see the SDK reference documentation.
API
Update an existing packet mirroring policy.
PATCH https://compute.googleapis.com/compute/beta/projects/project-id/regions/region/packetMirrorings/policy-name
{
"priority": priority,
"mirroredResources": {
"subnetworks": [
{
"url": "subnet-url"
}
],
"tags": [
"tag"
],
"instances": [
{
"url": "instance"
}
]
},
"collectorIlb": {
"url": "forwarding-rule-url"
},
"filter": {
"IPProtocols": [
"protocol"
],
"cidrRanges": [
"address-range"
]
}
}
Replace the placeholders with valid values:
- project-id is the ID of the project where the policy is located.
- policy-name is the name of the packet mirroring policy to modify.
- region is the region where policy is located.
- forwarding-rule-url is the URL of a forwarding rule that is configured as a mirroring collector. Google Cloud sends all mirrored traffic to the associated internal load balancer.
- subnet-url is the URL of a subnet to mirror. Google Cloud mirrors existing and future instances in the subnet.
- tag is a network tag. Google Cloud mirrors instances that have the network tag.
- instance is the fully qualified ID of an instance to mirror.
- address-range is an IP address range (CIDR range) to mirror.
- protocol is an IP address protocol to mirror (TCP, UDP, or ICMP).
- priority-number is a number
0through65535. Google Cloud uses the priority value to determine which policy to use when multiple policies can apply.
For more information and descriptions for each field, refer to the
packetmirrorings.patch method.
Listing packet mirroring policies
List packet mirroring policies to view existing policies.
Console
Go to the Packet Mirroring page in the Google Cloud Console.
Go to the Packet Mirroring pageThe Cloud Console list all of the policies in your project.
gcloud
List existing packet mirroring policies that are in your project or for a particular region.
gcloud beta compute packet-mirrorings list \ [--filter="region:(region...)"]
Replace region with the name of the region that contains the policies to list.
For more information and descriptions for each flag, see the SDK reference documentation.
API
List existing packet mirroring policies that are in your project.
GET https://compute.googleapis.com/compute/beta/projects/project-id/aggregated/packetMirrorings
List existing packet mirroring policies for a particular region.
GET https://compute.googleapis.com/compute/beta/projects/project-id/regions/region/packetMirrorings
Replace the placeholders with valid values:
- project-id is the ID of the project that contains the policies to list.
- region is the region that contains the policies to list.
For more information and descriptions for each field, refer to the
packetmirrorings.aggregatedList or
packetmirrorings.list methods.
Describing a packet mirroring policy
View details of an existing packet mirroring policy to see, for example, its priority or filters.
Console
- Go to the Packet Mirroring page in the Google Cloud Console.
Go to the Packet Mirroring page From the list of packet mirroring policies, select the one that you want to view.
The Cloud Console shows the details of the policy that you selected.
gcloud
Describe an existing packet mirroring policy to view its details.
gcloud beta compute packet-mirrorings describe policy-name \ --region=region \
Replace the placeholders with valid values:
- policy-name is the name for the packet mirroring policy to describe.
- region is the region where the policy is located.
For more information and descriptions for each flag, see the SDK reference documentation.
API
Describe an existing packet mirroring policy to view its details.
GET https://compute.googleapis.com/compute/beta/projects/project-id/regions/region/packetMirrorings/policy-name
Replace the placeholders with valid values:
- project-id is the ID of the project where the policy is located.
- policy-name is the name of the packet mirroring policy to describe.
- region is the region where policy is located.
For more information and descriptions for each field, refer to the
packetmirrorings.get method.
Disabling or enabling a packet mirroring policy
Disable or enable a packet mirroring policy to stop or start collecting mirrored traffic.
Console
- Go to the Packet Mirroring page in the Google Cloud Console.
Go to the Packet Mirroring page - From the list of packet mirroring policies, select the one to disable or enable.
- Click Disable or Enable.
- Confirm by clicking Disable or Enable
gcloud
Disable an existing packet mirroring policy.
gcloud beta compute packet-mirrorings update policy-name \ --region=region \ --no-enable
Enable an existing packet mirroring policy.
gcloud beta compute packet-mirrorings update policy-name \ --region=region \ --enable
Replace the placeholders with valid values:
- policy-name is the name for the packet mirroring policy to disable or enable.
- region is the region where the policy is located.
For more information and descriptions for each flag, see the SDK reference documentation.
API
Disable or enable an existing packet mirroring policy.
PATCH https://compute.googleapis.com/compute/beta/projects/project-id/regions/region/packetMirrorings/policy-name
{
"enable": "FALSE|TRUE"
}
Replace the placeholders with valid values:
- project-id is the ID of the project where the policy is located.
- policy-name is the name of the packet mirroring policy to disable.
- region is the region where policy is located.
For more information and descriptions for each field, refer to the
packetmirrorings.patch method.
Deleting a packet mirroring policy
Delete a packet mirroring policy to remove it from your project. After you delete a policy, Google Cloud stops mirroring all traffic that is related to the policy.
Console
- Go to the Packet Mirroring page in the Google Cloud Console.
Go to the Packet Mirroring page - From the list of packet mirroring policies, select the one that you want to disable.
- Click Delete.
- Confirm by clicking Delete.
gcloud
Delete an existing packet mirroring policy.
gcloud beta compute packet-mirrorings delete policy-name \ --region=region \
Replace the placeholders with valid values:
- policy-name is the name for the packet mirroring policy to delete.
- region is the region where the policy is located.
For more information and descriptions for each flag, see the SDK reference documentation.
API
Delete an existing packet mirroring policy.
DELETE https://compute.googleapis.com/compute/beta/projects/project-id/regions/region/packetMirrorings/policy-name
Replace the placeholders with valid values:
- project-id is the ID of the project where the policy is located.
- policy-name is the name of the packet mirroring policy to delete.
- region is the region where policy is located.
For more information and descriptions for each field, refer to the
packetmirrorings.delete method.
Troubleshooting
If your packet mirroring policy isn't collecting the intended mirrored traffic, check the following configurations:
Check that you have firewall rules that allow traffic from mirrored instances to the collector instances.
Check that your mirrored sources include or exclude the instances to mirror. For example, if you specify a subnet as a mirrored source, all existing and future instances in the subnet are mirrored. If you specify tags, only instances that have matching tags are mirrored.
Check that the packet mirroring filters aren't too broad or too narrow. You might have unintentionally configured filters to include or exclude certain traffic.