Create and manage mirroring deployments

Mirroring deployment lets you expose a zonal set of load balanced appliances so that mirroring deployment can be used by the mirroring endpoint groups.

This page explains how to create and manage mirroring deployment.

Before you begin

Roles

To get the permissions that you need to create, view, or delete mirroring deployments, ask your administrator to grant you the necessary Identity and Access Management (IAM) roles on your project. For more information about granting roles, see Manage access to projects, folders, and organizations.

To check the progress of the operations listed on this page, make sure that your user role has the following Mirroring Deployment Admin role (roles/networksecurity.mirroringDeploymentAdmin) permissions:

  • networksecurity.mirroringDeployments.create
  • networksecurity.mirroringDeployments.delete
  • networksecurity.mirroringDeployments.get
  • networksecurity.mirroringDeployments.list

Create a mirroring deployment

Create a mirroring deployment to represent the producer side within a zone and associate it with the mirroring deployment group. We recommend that you create the mirroring deployment in a project owned by your security administrator.

Console

  1. In the Google Cloud console, go to the Deployment groups page.

    Go to Deployment groups

  2. Click filter_listFilter.

  3. From the Properties list, select Purpose and then for Value, select NSI out-of-band.

  4. Click the deployment group where you want to add the mirroring deployment.

  5. Click Create mirroring deployment.

  6. For Name, enter a name of the mirroring deployment.

  7. For Region and Zone, select your region and zone.

  8. For Load balancer, select the internal passthrough Network Load Balancer.

  9. For Forwarding rule, select the UDP forwarding rule of the load balancer. If the load balancer has only one forwarding rule, it is selected by default and the field is disabled.

  10. Click Create.

gcloud

To create a mirroring deployment, use the gcloud network-security mirroring-deployments create command:

 gcloud network-security mirroring-deployments \ create DEPLOYMENT \ --location ZONE \ --forwarding-rule FWD_RULE \ --forwarding-rule-location REGION \ --mirroring-deployment-group DEPLOYMENT_GROUP_ID \ --is-mirroring-collector --no-async

Replace the following:

  • DEPLOYMENT: the name of the mirroring deployment; you can specify the name as a string or as a unique URL identifier.

  • ZONE: the zone of the mirroring deployment

  • FWD_RULE:the forwarding rule to direct network traffic to a load balance

  • REGION: the region of the forwarding rule

  • DEPLOYMENT_GROUP_ID: the ID of the mirroring deployment group

Terraform

To create a mirroring deployment, you can use a google_network_security_mirroring_deployment resource.

resource "google_network_security_mirroring_deployment" "default" { mirroring_deployment_id = "mirroring-deployment" location = "us-central1-a" forwarding_rule = google_compute_forwarding_rule.default.id mirroring_deployment_group = google_network_security_mirroring_deployment_group.default.id }

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

View mirroring deployment

You can view the details of a specific mirroring deployment in a project.

Console

  1. In the Google Cloud console, go to the Deployment groups page.

    Go to Deployment groups

  2. Click the name of the deployment group.

  3. Click the name of the deployment.

gcloud

To view details of a mirroring deployment, use the gcloud network-security mirroring-deployments describe command:

 gcloud network-security mirroring-deployments \ describe DEPLOYMENT \ --location ZONE \ --project PROJECT

Replace the following:

  • DEPLOYMENT: the name of the mirroring deployment

  • ZONE: the zone of the mirroring deployment

  • PROJECT: the project name of the mirroring deployment

List mirroring deployments

You can list all the mirroring deployments in a project.

Console

  1. In the Google Cloud console, go to the Deployment groups page.

    Go to Deployment groups

  2. Click the name of the deployment group.

gcloud

To list mirroring deployments, use the gcloud network-security mirroring-deployments list command:

 gcloud network-security mirroring-deployments list \ --location ZONE \ --project PROJECT

Replace the following:

  • ZONE: the zone of the mirroring deployment

  • PROJECT: the name of your mirroring deployment project

Delete a mirroring deployment

You can delete a mirroring deployment by specifying its name, location, and project. However, if a mirroring deployment is referenced by a mirroring deployment group, then it cannot be deleted.

Console

  1. In the Google Cloud console, go to the Deployment groups page.

    Go to Deployment groups

  2. Click the name of the mirroring deployment group.

  3. Select the checkbox of the mirroring deployment and click Delete.

  4. Click Delete again to confirm.

gcloud

To delete a mirroring deployment, use the gcloud network-security mirroring-deployments delete command:

 gcloud network-security mirroring-deployments \ delete DEPLOYMENT \ --location ZONE \ --project PROJECT \ --no-async

Replace the following:

  • DEPLOYMENT: the name of the mirroring deployment

  • ZONE: the zone of the mirroring deployment

  • PROJECT: the project name of the mirroring deployment

What's next