Create and manage security profile groups

This page explains how to create and manage security profile groups with a custom security profile by using the Google Cloud CLI.

Before you begin

Roles

To get the permissions that you need to create, view, update, or delete security profile groups, ask your administrator to grant you the required Identity and Access Management (IAM) roles on your organization or project. For more information about granting roles, see Manage access to projects, folders, and organizations.

To check the progress of the operations listed on this page, make sure that your user role has the following Compute Network User (roles/compute.networkUser) permissions:

  • networksecurity.operations.get
  • networksecurity.operations.list

Create a security profile group with custom profile

You can create security profile groups at organization or project level (Preview). You can only create a security profile group with a security profile of type CUSTOM_MIRRORING.

Console

  1. In the Google Cloud console, go to the Security profile groups page.

    Go to Security profile groups

  2. From the project picker, select your organization or the project (Preview).

  3. On the Security profile groups tab, click Create profile group.

  4. For Name, enter the name of the security profile group.

  5. For Security profile group purpose, select NSI out-of-band.

  6. For Custom mirroring profile, select the custom security profile for in-band integration.

  7. Click Create.

gcloud

To create a security profile group, use the gcloud network-security security-profile-groups create command:

 gcloud network-security security-profile-groups \
     create SECURITY_PROFILE_GROUP_NAME \
     --custom-mirroring-profile CUSTOM_MIRRORING_PROFILE_NAME \
     --description DESCRIPTION \
     --organization ORGANIZATION_ID | --project PROJECT_ID \
     --location=global \
     [--billing-project QUOTA_PROJECT_ID]

Replace the following:

  • SECURITY_PROFILE_GROUP_NAME: the name of the security profile group.

    If you don't specify the name in the unique URL identifier format, you must specify the organization or the project name, and the location.

  • CUSTOM_MIRRORING_PROFILE_NAME: the name of the custom mirroring security profile.

  • DESCRIPTION: an optional description for the security profile group.

  • ORGANIZATION_ID: your organization ID. Use this flag to create an organization-level security profile group.

  • PROJECT_ID: your project ID. Use this flag to create a project-level security profile group (Preview).

    The --project flag is available in (Preview). To use this flag, run the gcloud beta network-security security-profile-groups create command.

  • QUOTA_PROJECT_ID: your quota project ID. Use this flag only for organization-level security profile groups.

Terraform

To create a security profile group, you can use a google_network_security_security_profile_group resource.

resource "google_network_security_security_profile_group" "default" {
  name                     = "security-profile-group"
  parent                   = "organizations/${data.google_organization.default.org_id}"
  location                 = "global"
  custom_mirroring_profile = google_network_security_security_profile.default.id
}

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

List and view details of a security profile group

You can list security profile groups in an organization or a project (Preview), and view the details of a group, such as its name and custom intercept profile.

Console

  1. In the Google Cloud console, go to the Security profile groups page.

    Go to Security profile groups

  2. From the project picker, select your organization or the project (Preview). The tab lists all security profile groups.

  3. In the Security profile groups tab, click the name of the security profile group to see its details.

gcloud

To list custom mirroring security profile groups, use the gcloud network-security security-profile-groups list command:

gcloud network-security security-profile-groups list \
    --organization ORGANIZATION_ID | --project PROJECT_ID \
    --location=global \
    --filter CUSTOM_MIRRORING_PROFILE \
    [--billing-project QUOTA_PROJECT_ID]

To view details of a security profile group, use the gcloud network-security security-profile-groups describe command:

 gcloud network-security security-profile-groups \
     describe SECURITY_PROFILE_GROUP_NAME \
     --organization ORGANIZATION_ID | --project PROJECT_ID \
     --location=global \
     [--billing-project QUOTA_PROJECT_ID]

Replace the following:

  • SECURITY_PROFILE_GROUP_NAME: the name of the security profile group.

    If you don't specify the name in the unique URL identifier format, you must specify the organization or the project name, and the location.

  • CUSTOM_MIRRORING_PROFILE: the custom mirroring security profile to filter by.

  • ORGANIZATION_ID: your organization ID where the security profile group exists.

  • PROJECT_ID: your project ID where the security profile group exists.

    The --project flag is available in (Preview). To use this flag, run the gcloud beta network-security security-profile-groups describe command.

  • QUOTA_PROJECT_ID: your quota project ID. Use this flag only for organization-level security profile groups.

Update a security profile group

You can update the description and labels of the security profile referenced in a security profile group.

Console

  1. In the Google Cloud console, go to the Security profile groups page.

    Go to Security profile groups

  2. From the project picker, select your organization or the project (Preview).

  3. Click your security profile group.

  4. Click Edit.

  5. After you edit the rule, click Save.

gcloud

To update a security profile group, use the gcloud network-security security-profile-groups update command:

gcloud network-security security-profile-groups \
    update SECURITY_PROFILE_GROUP_NAME \
    --organization ORGANIZATION_ID | --project PROJECT_ID \
    --location=global \
    --description DESCRIPTION

Replace the following:

  • SECURITY_PROFILE_GROUP_NAME: the name of the security profile group that you want to update.

    If you don't specify the name in the unique URL identifier format, you must specify the organization or the project name, and the location.

  • ORGANIZATION_ID: your organization ID where the security profile group exists.

  • PROJECT_ID: your project ID where the security profile group exists.

    The --project flag is available in (Preview). To use this flag, run the gcloud beta network-security security-profile-groups update command.

  • DESCRIPTION: an optional description for the security profile group.

Delete a security profile group

You can delete a security profile group by specifying its name, location, and organization. However, if a custom security profile is referenced by a network firewall policy, that security profile group cannot be deleted.

Console

  1. In the Google Cloud console, go to the Security profile groups page.

    Go to Security profile groups

  2. From the project picker, select your organization or the project (Preview).

  3. On the Security profile groups tab, select the checkbox of the security profile group that you want to delete, and then click Delete.

  4. Click Delete again to confirm.

gcloud

To delete a security profile group, use the gcloud network-security security-profile-groups delete command:

gcloud network-security security-profile-groups \
    delete SECURITY_PROFILE_GROUP_NAME \
    --organization ORGANIZATION_ID | --project PROJECT_ID \
    --location=global \
    [--billing-project QUOTA_PROJECT_ID]

Replace the following:

  • SECURITY_PROFILE_GROUP_NAME: the name of the security profile group that you want to delete.

    If you don't specify the name in the unique URL identifier format, you must specify the organization or the project name, and the location.

  • ORGANIZATION_ID: your organization ID where the security profile group exists.

  • PROJECT_ID: your project ID where the security profile group exists.

    The --project flag is available in (Preview). To use this flag, run the gcloud beta network-security security-profile-groups delete command.

  • QUOTA_PROJECT_ID: your quota project ID. Use this flag only for organization-level security profile groups.

What's next