Create and manage intercept deployments

An intercept deployment is a zonal resource that references the forwarding rule of an internal passthrough Network Load Balancer whose backends are packet inspection VMs. An intercept deployment represents the producer's inspection service offering for a zone.

This page describes how to create and manage intercept deployments.

Before you begin

Roles

To create, view, or delete intercept deployments, your Identity and Access Management (IAM) principal must have the necessary IAM roles on your project. For more information, see Manage access to projects, folders, and organizations.

To check the progress of the operations listed on this page, your IAM principal must have the following Intercept Deployment Admin role (roles/networksecurity.interceptDeploymentAdmin) permissions:

  • networksecurity.interceptDeployments.create
  • networksecurity.interceptDeployments.delete
  • networksecurity.interceptDeployments.get
  • networksecurity.interceptDeployments.list

Create an intercept deployment

Create an intercept deployment to represent the producer's compute resources within a zone and associate it with an existing intercept deployment group.

You can create the intercept deployments in the same project that contains the parent intercept deployment group. We recommend that you create the intercept deployment in a project owned by your security administrator.

Console

  1. In the Google Cloud console, go to the Deployment groups page.

    Go to Deployment groups

  2. Click the deployment group where you want to add the intercept deployment.

  3. Click Create intercept deployment.

  4. For Name, enter a name of the intercept deployment.

  5. For Region and Zone, select your region and zone.

  6. For Internal load balancer, select the internal passthrough Network Load Balancer.

  7. For Forwarding rule, select the UDP forwarding rule of the load balancer. If the load balancer has only one forwarding rule, it is selected by default and the field is disabled.

  8. Click Create.

gcloud

To create an intercept deployment, use the gcloud network-security intercept-deployments create command:

gcloud network-security intercept-deployments create DEPLOYMENT_ID \
    --location ZONE \
    --forwarding-rule FWD_RULE \
    --forwarding-rule-location REGION \
    --no-async \
    --intercept-deployment-group \
        projects/PROJECT_ID/locations/global/interceptDeploymentGroups/DEPLOYMENT_GROUP_ID

Replace the following:

  • DEPLOYMENT_ID: the ID of the intercept deployment.
  • ZONE: the zone where you want to create the intercept deployment.
  • FWD_RULE: the forwarding rule of an internal passthrough Network Load Balancer in the same region as the zone of the intercept deployment.
  • REGION: the region that contains the zone of the intercept deployment.
  • PROJECT_ID: the ID of the Google Cloud project.
  • DEPLOYMENT_GROUP_ID: the ID of the intercept deployment group.

Terraform

To create an intercept deployment, you can use a google_network_security_intercept_deployment resource.

resource "google_network_security_intercept_deployment" "default" {
  intercept_deployment_id    = "intercept-deployment"
  location                   = "us-central1-a"
  forwarding_rule            = google_compute_forwarding_rule.default.id
  intercept_deployment_group = google_network_security_intercept_deployment_group.default.id
}

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

View details of an intercept deployment

You can view the details of an intercept deployment, including its name, its forwarding rule, and its location.

Console

  1. In the Google Cloud console, go to the Deployment groups page.

    Go to Deployment groups

  2. Click the name of the deployment group.

  3. Click the name of the deployment.

gcloud

To view details of an intercept deployment, use the gcloud network-security intercept-deployments describe command:

gcloud network-security intercept-deployments describe DEPLOYMENT_ID \
    --location ZONE

Replace the following:

  • DEPLOYMENT_ID: the ID of the intercept deployment.
  • ZONE: the zone of the intercept deployment.

In the output, the name of the intercept deployment is displayed in the projects/PROJECT_ID/locations/ZONE/interceptDeployments/DEPLOYMENT_ID format.

List intercept deployments

You can list all intercept deployments in a project, including their IDs and locations.

Console

  1. In the Google Cloud console, go to the Deployment groups page.

    Go to Deployment groups

  2. Click the name of the deployment group.

gcloud

To list intercept deployments, use the gcloud network-security intercept-deployments list command:

gcloud network-security intercept-deployments list \
    [--location ZONE]

To see intercept deployments in a specific zone, replace ZONE with the zone of the intercept deployments. This setting is optional.

Delete an intercept deployment

You can delete an intercept deployment if it is not referenced by any intercept deployment group.

Console

  1. In the Google Cloud console, go to the Deployment groups page.

    Go to Deployment groups

  2. Click the name of the intercept deployment group.

  3. Select the checkbox of the intercept deployment and click Delete.

  4. Click Delete again to confirm.

gcloud

To delete an intercept deployment, use the gcloud network-security intercept-deployments delete command:

gcloud network-security intercept-deployments delete DEPLOYMENT_ID \
    --no-async \
    --location ZONE

Replace the following:

  • DEPLOYMENT_ID: the ID of the intercept deployment.
  • ZONE: the zone of the intercept deployment.