Security profile groups are containers for security profiles. They let you bundle security profile types together for easier management and application to firewall rules. You can create these groups at either the organization or project level.
Each security profile group can contain up to one security profile of each of the following types:
THREAT_PREVENTIONURL_FILTERING
To apply consistent network security policies across your Google Cloud environment, you can use security profile groups to combine and apply threat prevention and URL filtering profiles. By grouping these profiles, you can enforce multiple security checks such as threat prevention and URL filtering on network traffic through a single firewall policy rule, ensuring consistent policy enforcement and simplified management. This document describes how to create and configure organization-level and project-level security profile groups by using the Google Cloud console or the Google Cloud CLI.
This document is intended for network administrators and security engineers who configure network security and firewall policies.
Before you begin, review the concepts in the Security profile groups overview.
Before you begin
- You must enable the Network Security API in your project.
- Install the gcloud CLI if you want to run the
gcloudcommand-line examples in this guide. - Create the security profiles that you need to add to the security profile group.
Roles
To get the permissions that you need to create security profile groups, ask your administrator to grant you the necessary Identity and Access Management (IAM) roles on your organization or project. For more information about granting roles, see Manage access.
Create a security profile group
Create a security profile group to bundle one or more security profiles into one resource for easier management and application to firewall rules.
Each security profile group can contain up to one security profile of each of the following types:
URL_FILTERINGTHREAT_PREVENTION
Console
In the Google Cloud console, go to the Security profiles page.
In the project selector menu, select your organization or the project.
Select the Security profile groups tab.
Click Create profile group.
Enter a name in the Name field.
Optional: Enter a description in the Description field.
To create a security profile group for Cloud Next Generation Firewall Enterprise, in the Purpose section, select Cloud NGFW Enterprise.
Add one or more security profiles to the group:
- To add a threat prevention profile, select Threat prevention profile.
- To add a URL filtering profile, select the URL filtering profile
Click Create.
gcloud
To create a security profile group, use the
gcloud network-security security-profile-groups create command:
gcloud network-security security-profile-groups create NAME \
--organization ORGANIZATION_ID | --project PROJECT_ID \
[--billing-project QUOTA_PROJECT_ID] \
--threat-prevention-profile THREAT_SECURITY_PROFILE_URL \
--url-filtering-profile URL_SECURITY_PROFILE_URL \
--location global
Replace the following:
NAME: the name of the security profile group.If you don't specify the name in the unique URL identifier format, you must specify the organization or the project name, and the location.
ORGANIZATION_ID: the organization ID. Use this flag for an organization-level security profile group.PROJECT_ID: the project ID. Use this flag for a project-level security profile group.QUOTA_PROJECT_ID: the quota project ID. Use this flag only for organization-level security profile groups.THREAT_SECURITY_PROFILE_URL: a unique URL identifier for a security profile ofTHREAT_PREVENTIONtype.URL_SECURITY_PROFILE_URL: a unique URL identifier for a security profile ofURL_FILTERINGtype.