Create a mirroring endpoint group association to attach a mirroring endpoint group to a Virtual Private Cloud (VPC) network. You can create a mirroring endpoint group globally and associate it with one or more VPC networks to monitor workloads.
This page explains how to create and manage mirroring endpoint group associations.
Before you begin
You need a VPC network and a subnet.
You must enable the Compute Engine API in your Google Cloud project.
You must enable the Network Security API in your Google Cloud project.
Install the Google Cloud CLI if you want to run the
gcloudcommand-line examples in this guide.You must have a mirroring endpoint group.
Roles
To get the permissions that you need to create, view, or delete mirroring endpoint group associations, ask your administrator to grant you the necessary Identity and Access Management (IAM) roles on your project. For more information about granting roles, see Manage access to projects, folders, and organizations.
To check the progress of the operations listed on this page, make sure that your user role has the following Mirroring Endpoint Admin role (roles/networksecurity.mirroringEndpointAdmin) and Mirroring Endpoint User (roles/networksecurity.mirroringEndpointUser) role permissions:
networksecurity.mirroringEndpointGroupAssociations.createnetworksecurity.mirroringEndpointGroupAssociations.deletenetworksecurity.mirroringEndpointGroupAssociations.updatenetworksecurity.mirroringEndpointGroupAssociations.getnetworksecurity.mirroringEndpointGroupAssociations.list
Quotas
To view quotas associated with mirroring endpoint group associations, see Quotas and limits.
Create mirroring endpoint group associations
You can associate one or more VPC networks to a specific mirroring endpoint group in the same zone.
On the Create and manage mirroring endpoint groups page, you created a mirroring endpoint group where the network traffic inspection can happen for the mirrored traffic. However, you still need to specify which VPCs' traffic can be inspected. To do this, you create a project-level mirroring endpoint group association.
Console
In the Google Cloud console, go to the Endpoint groups page.
Click the name of the endpoint group.
In the Associations section, click Create.
In the Create associations pane, click Add endpoint group association.
For Project and Network, select the project and the VPC network that hosts the mirroring endpoint group.
Click Done.
Click Create.
gcloud
To create a mirroring endpoint group association, use the gcloud network-security mirroring-endpoint-group-associations create command:
gcloud network-security mirroring-endpoint-group-associations \ create ENDPOINT_GROUP_ASSOCIATION \ --location global \ --project PROJECT_NAME \ --network NETWORK \ --mirroring-endpoint-group ENDPOINT_GROUP \ --no-async
Replace the following:
ENDPOINT_GROUP_ASSOCIATION: the name of the mirroring endpoint group associationPROJECT_NAME: the Google Cloud project name of the networkNETWORK: the name of the networkENDPOINT_GROUP: the name of the mirroring endpoint group
Terraform
To create a mirroring endpoint group association, you can use a google_network_security_mirroring_endpoint_group_association resource.
To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.
View mirroring endpoint associations
You can view the details of a specific mirroring endpoint group association in a zone.
Console
In the Google Cloud console, go to the Endpoint groups page.
Click the name of the mirroring endpoint group. The Associations section lists the details of the mirroring endpoint associations.
gcloud
To view a mirroring endpoint group association, use the gcloud network-security mirroring-endpoint-group-associations describe command:
gcloud network-security mirroring-endpoint-group-associations \ describe ENDPOINT_GROUP_ASSOCIATION \ --location global \ --project PROJECT_NAME
Replace the following:
ENDPOINT_GROUP_ASSOCIATION: the name of the mirroring endpoint group associationPROJECT_NAME: the project name of the mirroring endpoint group association
List mirroring endpoint group associations
You can list the mirroring endpoint group associations for a network, a project, or a mirroring endpoint group.
Console
In the Google Cloud console, go to the Endpoint groups page.
Click the name of the mirroring endpoint group. The Associations section lists all mirroring endpoint associations of the mirroring endpoint group.
gcloud
To list a mirroring endpoint group association in a project, use the gcloud network-security mirroring-endpoint-group-associations list command:
gcloud network-security mirroring-endpoint-group-associations list \ --project PROJECT_NAME \ --network NETWORK
Replace the following:
PROJECT_NAME: the project name of the mirroring endpoint group associationNETWORK: the name of the VPC network
Delete a mirroring endpoint group association
You can delete a mirroring endpoint group association for a specific VPC network.
Console
In the Google Cloud console, go to the Endpoint groups page.
Click the name of the mirroring endpoint group.
In the Associations section, select the mirroring endpoint association to delete.
Click Delete.
Click Delete again to confirm.
gcloud
To delete a mirroring endpoint group association, use the gcloud network-security mirroring-endpoint-group-associations delete command:
gcloud network-security mirroring-endpoint-group-associations \ delete ENDPOINT_GROUP_ASSOCIATION \ --location global \ --project PROJECT_NAME \ --no-async
Replace the following:
ENDPOINT_GROUP_ASSOCIATION: the name of the mirroring endpoint group associationPROJECT_NAME: the project name of the mirroring endpoint group association
What's next
- Mirroring endpoint groups overview
- Create and manage mirroring endpoint groups
- Out-of-band integration overview