Cloud IDS overview

Cloud IDS is an intrusion detection service that provides threat detection for intrusions, malware, spyware, and command-and-control attacks on your network. Cloud IDS works by creating a Google-managed peered network with mirrored virtual machine (VM) instances. Traffic in the peered network is mirrored and then inspected by Palo Alto Networks threat protection technologies to provide advanced threat detection. You can mirror all traffic, or you can mirror filtered traffic based on protocol, IP address range, or ingress and egress.

Cloud IDS provides full visibility into network traffic, including both north-south and east-west traffic, letting you monitor VM-to-VM communication to detect lateral movement. This provides an inspection engine that inspects intra-subnet traffic.

You can also use Cloud IDS to meet your advanced threat detection and compliance requirements, including PCI 11.4 and HIPAA.

Cloud IDS is subject to Google Cloud's Cloud Data Processing Addendum.

Cloud IDS detects and alerts on threats, but it does not take action to prevent attacks or repair damage. To take action on the threats that Cloud IDS detects, you can use products such as Google Cloud Armor.

The following sections provide details about IDS endpoints and advanced threat detection.

IDS endpoints

Cloud IDS uses a resource known as an IDS endpoint, a zonal resource that can inspect traffic from any zone in its region. Each IDS endpoint receives mirrored traffic and performs threat detection analysis.

Private services access is a private connection between your Virtual Private Cloud (VPC) network and a network owned by Google or a third party. In the case of Cloud IDS, the private connection connects your VMs to the Google-managed peered VMs. For IDS endpoints in the same VPC network, the same private connection is re-used, but a new subnet is assigned for each endpoint. If you need to add IP address ranges to an existing private connection, you must modify the connection.

You can use Cloud IDS to create an IDS endpoint in each region that you want to monitor. You can create multiple IDS endpoints for each region. Each IDS endpoint has a maximum inspection capacity of 5 Gbps. While each IDS endpoint can handle anomalous traffic spikes of up to 17 Gbps, we recommend that you configure one IDS endpoint for every 5 Gbps of throughput that your network experiences.

Packet mirroring policies

Cloud IDS uses Google Cloud Packet Mirroring, which creates a copy of your network traffic. After creating an IDS endpoint, you must attach one or more packet mirroring policies to it. These policies send mirrored traffic to a single IDS endpoint for inspection. The packet mirroring logic sends all traffic from individual VMs to Google-managed IDS VMs: for example, all traffic mirrored from VM1 and VM2 is always sent to IDS-VM1.

Advanced threat detection

Cloud IDS threat detection capabilities are powered by the following Palo Alto Networks threat prevention technologies.


Palo Alto Networks' Application ID (App-ID) provides visibility into the applications running on your network. App-ID uses multiple identification techniques to determine the identity of applications traversing your network, irrespective of port, protocol, evasive tactic, or encryption. App-ID identifies the application, providing you with knowledge to help secure your application.

The list of App-IDs is expanded weekly, with three to five new applications typically added based on input from customers, partners, and market trends. After a new App-ID is developed and tested, it is automatically added to the list as part of the daily content updates.

You can view application information on the IDS Threats page in the Google Cloud console.

Go to IDS Threats

Default signature set

Cloud IDS provides a default set of threat signatures that you can use immediately to protect your network from threats. In the Google Cloud console, this signature set is called a Cloud IDS service profile. You can customize this set by choosing the minimum alert severity level. The signatures are used to detect vulnerabilities and spyware.

  • Vulnerability detection signatures detect attempts to exploit system flaws or gain unauthorized access to systems. While anti-spyware signatures help identify infected hosts when traffic leaves the network, vulnerability detection signatures protect against threats that enter the network.

    For example, vulnerability detection signatures help protect against buffer overflows, illegal code execution, and other attempts to exploit system vulnerabilities. The default vulnerability detection signatures provide detection for clients and servers from all known critical, high, and medium-severity threats.

  • Anti-spyware signatures are used to detect spyware on compromised hosts. Such spyware might try to contact external command-and-control (C2) servers. When Cloud IDS detects malicious traffic leaving your network from infected hosts, it generates an alert that is saved in the threat log and shown in the Google Cloud console.

Threat severity levels

A signature's severity indicates the risk of the detected event, and Cloud IDS generates alerts for matching traffic. You can choose the minimum severity level in the default signature set. The following table summarizes the threat severity levels.

Severity Description
Critical Serious threats, such as those that affect default installations of widely deployed software, result in root compromise of servers, and where the exploit code is widely available to attackers. The attacker usually does not need any special authentication credentials or knowledge about the individual victims, and the target does not need to be manipulated into performing any special functions.
High Threats that have the ability to become critical but there are mitigating factors—for example, they might be difficult to exploit, do not result in elevated privileges, or do not have a large victim pool.
Medium Minor threats in which impact is minimized that do not compromise the target, or exploits that require an attacker to reside on the same local network as the victim, affect only non-standard configurations or obscure applications, or provide very limited access.
Low Warning-level threats that have very little impact on an organization's infrastructure. They usually require local or physical system access and might often result in victim privacy issues and information leakage.
Informational Suspicious events that do not pose an immediate threat, but that are reported to call attention to deeper problems that could possibly exist.

Threat exceptions

If you decide that Cloud IDS generates alerts on more threats than is necessary, you can disable noisy or otherwise unnecessary threat IDs by using the --threat-exceptions flag. You can find the threat IDs of existing threats detected by Cloud IDS in your threat logs. You are limited to 99 exceptions per IDS endpoint.

Content update frequency

Cloud IDS automatically updates all signatures without any user intervention, enabling users to focus on analyzing and resolving threats without managing or updating signatures. Content updates include Application-ID and threat signatures, including vulnerability and anti-spyware signatures.

Updates from Palo Alto Networks are picked up daily by Cloud IDS and pushed to all existing IDS endpoints. Maximum update latency is estimated to be up to 48 hours.


Several features of Cloud IDS generate alerts, which are sent to the threat log. For more information about logging, see Cloud IDS Logging.

What's next