Create security profile groups

This page explains how to create security profile groups by using the Google Cloud console or the Google Cloud CLI.

To check the progress of the operations listed on this page, make sure that your user role has the following Compute Network User (roles/compute.networkUser) permissions:

  • networksecurity.operations.get
  • networksecurity.operations.list

Before you begin

Roles

To get the permissions that you need to create security profile groups, ask your administrator to grant you the necessary IAM roles on your organization or project. For more information about granting roles, see Manage access.

Create a security profile group

Each security profile group can contain up to one security profile of each of the following types:

  • url-filtering
  • threat-prevention

Organization-level security profile groups

To create an organization-level security profile group, use the Google Cloud console or the gcloud CLI.

When you create a security profile group, you can specify the name of the security profile group as a string or as a unique URL identifier. To construct the unique URL for a security profile group, use the following format:

organizations/ORGANIZATION_ID/locations/global/securityProfileGroups/NAME

If you use a unique URL identifier for the security profile group name, the organization and the location of the security profile group are already included in the URL identifier. However, if you use only the security profile group name, you must specify the organization and the location separately. For more information about unique URL identifiers, see security profile group specifications.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. In the project selector menu, select your organization.

  3. Select the Security profile groups tab.

Configure a security profile group:

  1. Click Create profile group.
  2. Enter a name in the Name field.
  3. Optional: Enter a description in the Description field.
  4. To create a security profile group for Cloud Next Generation Firewall Enterprise, in the Purpose section, select Cloud NGFW Enterprise.
  5. In the Threat prevention profile list or the URL filtering profile list, select the security profile that you want to add to this security profile group.
  6. Click Create.

gcloud

To create a security profile group, use the gcloud network-security security-profile-groups create command:

gcloud network-security security-profile-groups create NAME \
    --organization ORGANIZATION_ID \
    --location LOCATION \
    --billing-project QUOTA_PROJECT_ID \
    --url-filtering-profile SECURITY_PROFILE_URL \
    --threat-prevention-profile SECURITY_PROFILE_URL \
    --description DESCRIPTION

Replace the following:

  • NAME: the name of the security profile group; you can specify the name as a string or as a unique URL identifier.

  • ORGANIZATION_ID: the organization where the security profile group is created. If you use a unique URL identifier for the NAME variable, you can omit the --organization flag.

  • LOCATION: the location of the security profile group.

    Location is always set to global. If you use a unique URL identifier for the NAME variable, you can omit the --location flag.

  • QUOTA_PROJECT_ID: an optional project ID to use for quotas and access restrictions on the security profile group.

  • SECURITY_PROFILE_URL: a unique URL identifier for a security profile of either url-filtering or threat-prevention type. You must add at least one of these security profiles.

  • DESCRIPTION: an optional description for the security profile group.

Project-level security profile groups

To create a project-level security profile group, use the gcloud CLI.

When you create a security profile group, you can specify the name of the security profile group as a string or as a unique URL identifier. To construct the unique URL for a security profile group , use the following format:

projects/PROJECT_ID/locations/global/securityProfileGroups/NAME

If you use a unique URL identifier for the security profile group name, the project, and the location of the security profile group are already included in the URL identifier. However, if you use only the security profile group name, you must specify the project, and the location separately. For more information about unique URL identifiers, see security profile group specifications.

gcloud

To create a security profile group, use the gcloud network-security security-profile-groups create command:

gcloud beta network-security security-profile-groups create NAME \
    --project PROJECT_ID \
    --location LOCATION \
    --url-filtering-profile SECURITY_PROFILE_URL \
    --threat-prevention-profile SECURITY_PROFILE_URL \
    --description DESCRIPTION

Replace the following:

  • NAME: the name of the security profile group; you can specify the name as a string or as a unique URL identifier.

  • PROJECT_ID: the project where the security profile group is created. If you use a unique URL identifier for the NAME variable, you can omit the --project flag.

  • LOCATION: the location of the security profile group.

    Location is always set to global. If you use a unique URL identifier for the NAME variable, you can omit the --location flag.

  • SECURITY_PROFILE_URL: a unique URL identifier for a security profile of either url-filtering or threat-prevention type. You must add at least one of these security profiles.

  • DESCRIPTION: an optional description for the security profile group.

What's next