An intercept endpoint group is a global, project-wide resource that lets a consumer access a producer's interception service. Each intercept endpoint group is associated with a single intercept deployment group on the producer side.
An intercept endpoint group association is a global, project-wide resource that represents a consumer's VPC network to be inspected by a specific intercept endpoint group. For each VPC that requires packet inspection, consumers create an intercept endpoint group association.
This page provides a detailed overview of intercept endpoint groups and intercept endpoint group associations.
Specifications
Intercept endpoint groups have the following specifications:
- An intercept endpoint group is a global, project-wide resource.
The name of an intercept endpoint group is configured in the following format:
projects/PROJECT_ID/locations/global/interceptEndpointGroups/ENDPOINT_GROUP_IDFor example, the unique URL identifier for the intercept endpoint group
example-intercept-endpoint-groupin projectexample-projectisprojects/example-project/locations/global/interceptEndpointGroups/example-intercept-endpoint-group.An intercept endpoint group association is a global, project-wide resource.
The name of an intercept endpoint association is configured in the following format:
projects/PROJECT_ID/locations/global/interceptEndpointAssociations/ENDPOINT_GROUP_ASSOCIATION_IDFor example, the name for the intercept endpoint association ID
example-intercept-endpoint-associationin projectexample-projectisprojects/example-project/locations/global/interceptEndpointAssociations/example-intercept-endpoint-association.You can use an intercept endpoint group across one or more VPCs in different projects in an organization.
To enable interception for a VPC network, create an intercept endpoint group association and the required firewall rules.
Identity and Access Management roles
The following table describes the Identity and Access Management (IAM) roles required for managing the intercept endpoint groups:
| Ability | Necessary role |
|---|---|
| Create an intercept endpoint group | Intercept Endpoint Admin role (roles/networksecurity.interceptEndpointAdmin)
on the project. |
| Modify an existing intercept endpoint group | Intercept Endpoint Admin role (roles/networksecurity.interceptEndpointAdmin) on the project. |
| View details of an intercept endpoint group | Any of the following roles for the project:
|
| View all intercept endpoint groups | Any of the following roles for the project:
|
The following table describes the Identity and Access Management (IAM) roles required for managing the intercept endpoint group associations:
| Ability | Necessary role |
|---|---|
| Create an intercept endpoint group association |
Intercept Endpoint Admin role ( Intercept Endpoint User role ( |
| Modify an existing intercept endpoint group association | Intercept Endpoint Admin role (roles/networksecurity.interceptEndpointAdmin)
on the project where the VPC network exists.
|
| View details of an intercept endpoint group association | Any of the following roles:
|
| View all intercept endpoint group associations | Any of the following roles:
|
Quotas
To view quotas associated with intercept endpoint groups, see Quotas and limits.