Best practices for Cloud IDS

This page provides best practices for configuring Cloud IDS.

Cloud IDS is an intrusion detection service that provides threat detection for intrusions, malware, spyware, and command-and-control attacks on your network. Cloud IDS uses a resource known as an IDS endpoint, a zonal resource that can inspect traffic from any zone in its region. Each IDS endpoint receives mirrored traffic and performs threat detection analysis.

Deploy IDS endpoints

  • Create an IDS endpoint in each region that you want to monitor by using Cloud IDS. You can create multiple IDS endpoints for each region.
  • Allow up to 20 minutes for Cloud IDS to create and configure firewalls.
  • During IDS endpoint creation, you must choose an alert severity level. For maximum visibility, we recommend the informational level.
  • If you use the Packet mirroring page in the Google Cloud console to create a packet mirroring policy, ensure that you enable Allow both ingress and egress traffic.

    Go to Packet mirroring

  • If you use the Cloud IDS page to configure an IDS endpoint, you do not need to enable Allow both ingress and egress traffic because it is automatically enabled.

    Go to the Cloud IDS dashboard

You can use Cloud IDS to create an IDS endpoint in each region that you want to monitor. You can create multiple IDS endpoints for each region. Each IDS endpoint has a maximum inspection capacity of 5 Gbps. While each IDS endpoint can handle anomalous traffic spikes of up to 17 Gbps, we recommend that you configure one IDS endpoint for every 5 Gbps of throughput that your network experiences.

Attach packet mirroring policies

  • We recommend that you attach more than one packet mirroring policy to an IDS endpoint when you want to mirror traffic from multiple types of sources, including subnets, instances, or network tags. You can only mirror traffic from subnets that exist in the same region as the IDS endpoint.
  • Choose only the subnets whose traffic you want to mirror to Cloud IDS.

What's next