This page explains how to create and manage security profile groups with a custom security profile by using the Google Cloud CLI.
Before you begin
- You must enable the Network Security API in your project.
Install the gcloud CLI if you want to run the
gcloud
command-line examples in this guide.You must have a custom mirroring security profile.
Roles
To get the permissions that you need to create, view, update, or delete security profile groups, ask your administrator to grant you the necessary Identity and Access Management (IAM) roles on your organization. For more information about granting roles, see Manage access to projects, folders, and organizations.
To check the progress of the operations listed on this page, make sure that
your user role has the following
Compute Network User role
(roles/compute.networkUser
) permissions:
networksecurity.operations.get
networksecurity.operations.list
Create a security profile group with custom profile
You can only create a security profile group with a security profile of type
CUSTOM_MIRRORING
.
When you create a security profile group, you can specify the name of the security profile group as a string or as a unique URL identifier. The unique URL for an organization-scoped security profile group can be constructed in the following format:
organizations/ORGANIZATION_ID /locations/LOCATION /securityProfileGroups/SECURITY_PROFILE_GROUP_NAME
Replace the following:
ORGANIZATION_ID
: ID of the organization.LOCATION
: scope of the security profile group. Location is always set toglobal
.SECURITY_PROFILE_GROUP_NAME
: the name of the security profile group.
If you use a unique URL identifier for the security profile group name, the organization and location of the security profile group is already included in the URL identifier. However, if you use only the security profile group name, you must specify the organization and location separately. For more information about unique URL identifiers, see Specifications.
Permissions required for this task
To perform this task, you must have been granted the following permissions or one of the following IAM roles on your organization.
Permissions
networksecurity.securityProfileGroups.create
Roles
compute.networkAdmin
To create a security profile group, use the
gcloud beta network-security security-profile-groups create
command:
gcloud beta network-security security-profile-groups \ createSECURITY_PROFILE_GROUP_NAME \ --custom-mirroring-profileCUSTOM_MIRROING_PROFILE_NAME \ --descriptionDESCRIPTION \ --organizationORGANIZATION_ID \ --location=global \ --billing-projectPROJECT_ID
Replace the following:
SECURITY_PROFILE_GROUP_NAME
: the name of the security profile group; you can specify the name as a string or as a unique URL identifier.CUSTOM_MIRRORING_PROFILE_NAME
: the name of the custom mirroring security profile.DESCRIPTION
: an optional description for the security profile group.ORGANIZATION_ID
: the organization where the security profile group is created.PROJECT_ID
: the project ID to use for quotas and access restrictions on the security profile group.
View security profile group
You can view the details of a specific security profile group in an organization.
Permissions required for this task
To perform this task, you must have been granted the following permissions or one of the following IAM roles on your organization.
Permissions
networksecurity.securityProfileGroups.get
Roles
compute.networkAdmin
compute.networkUser
compute.networkViewer
To view details of a security profile group, use the
gcloud beta network-security security-profile-groups describe
command:
gcloud beta network-security security-profile-groups \ describeSECURITY_PROFILE_GROUP_NAME \ --organizationORGANIZATION_ID \ --location=global \ --billing-projectPROJECT_ID
Replace the following:
SECURITY_PROFILE_GROUP_NAME
: the name of the security profile group; you can specify the name as a string or as a unique URL identifier.ORGANIZATION_ID
: the organization where the security profile group is created.PROJECT_ID
: the project ID to use for quotas and access restrictions on the security profile group.
List security profile groups
You can list all the custom mirroring security profile groups in an organization.
Permissions required for this task
To perform this task, you must have been granted the following permissions or one of the following IAM roles on your organization.
Permissions
networksecurity.securityProfileGroups.list
Roles
compute.networkAdmin
compute.networkUser
compute.networkViewer
To list custom mirroring security profile groups, use the
gcloud beta network-security security-profile-groups list
command:
gcloud beta network-security security-profile-groups list \ --organizationORGANIZATION_ID \ --location=global \ --filterCUSTOM_MIRRORING_PROFILE --billing-projectPROJECT_ID
Replace the following:
ORGANIZATION_ID
: the organization where the security profile group is created.CUSTOM_MIRRORING_PROFILE
: name of the profile groups that have acustom_mirroring_profile
defined.PROJECT_ID
: the project ID to use for billing of the security profile group.
Update a security profile group
You can update the description and labels of the security profile referenced in a security profile group.
Permissions required for this task
To perform this task, you must have been granted the following permissions or one of the following IAM roles on your organization.
Permissions
networksecurity.securityProfileGroups.update
Roles
compute.networkAdmin
To update a security profile group, use the
gcloud beta network-security security-profile-groups update
command:
gcloud beta network-security security-profile-groups \ updateSECURITY_PROFILE_GROUP_NAME \ --organizationORGANIZATION_ID \ --location=global \ --descriptionDESCRIPTION
Replace the following:
SECURITY_PROFILE_GROUP_NAME
: the name of the security profile group that you want to update; you can specify the name as a string or as a unique URL identifier.ORGANIZATION_ID
: the organization where the security profile group is created.DESCRIPTION
: an optional description for the security profile group.
Delete a security profile group
You can delete a security profile group by specifying its name, location, and organization. However, if a custom security profile is referenced by a network firewall policy, that security profile group cannot be deleted.
Permissions required for this task
To perform this task, you must have been granted the following permissions or one of the following IAM roles on your organization.
Permissions
networksecurity.securityProfileGroups.delete
Roles
-
compute.networkAdmin
To delete a security profile group, use the
gcloud beta network-security security-profile-groups delete
command:
gcloud beta network-security security-profile-groups \ deleteSECURITY_PROFILE_GROUP_NAME \ --custom-profileCUSTOM_PROFILE_NAME \ --organizationORGANIZATION_ID \ --location-global \ --billing-projectPROJECT_ID
Replace the following:
SECURITY_PROFILE_GROUP_NAME
: the name of the security profile group that you want to delete; you can specify the name as a string or as a unique URL identifier.CUSTOM_PROFILE_NAME
: the name of the custom security profile.ORGANIZATION_ID
: the organization where the security profile group is created.PROJECT_ID
: the project ID to use for quotas and access restrictions on the security profile group.
What's next
- Create and manage mirroring endpoint groups
- Security profile groups overview
- Create and manage custom mirroring security profiles