A security profile group is a container for custom intercept security profiles. An intercept rule references a security profile group to enable the processing of network traffic within Network Security Integration.
This page provides a detailed overview of security profile groups and their capabilities.
Specifications
Security profile groups have the following specifications:
A security profile group is a global organizational-level resource.
The name of a security profile group is configured in the following format:
organizations/ORGANIZATION_ID/locations/global/securityProfileGroups/SECURITY_PROFILE_GROUP_IDFor example, the name for the security profile group ID
example-security-profile-groupin organizationexample-orgisorganizations/example-org/locations/global/securityProfileGroups/example-security-profile-group.You can add only one security profile to a security profile group.
A firewall rule must contain the name of the security profile group to be used by the intercept endpoints.
Security profile groups apply to in-band integration firewall policies only when you add a firewall rule with the action
APPLY_SECURITY_PROFILE_GROUP. You can configure security profile groups in hierarchical firewall policy rules and global network firewall policy rules.Depending on the firewall rule's flag direction, the rule can affect both incoming and outgoing traffic within the Virtual Private Cloud (VPC) network. The intercepted traffic is then sent to the intercept endpoint group defined in the security profile referenced by the configured security profile group. Subsequently, the intercept endpoint group redirects the intercepted traffic to the producer deployment group attached by network deployments.
Each security profile group must have an associated project ID. The associated project is used for quotas. If you authenticate your service account by using the
gcloud auth activate-service-accountcommand, you can associate your service account with the security profile group. To learn more about how to create a security profile group, see Create and manage security profile groups.
Identity and Access Management roles
The following table describes the Identity and Access Management (IAM) roles required for managing the security profile groups:
| Ability | Necessary role |
|---|---|
| Create a security profile group | Security Profile Admin role (networksecurity.securityProfileAdmin)
on the organization where the security profile group is created. |
| Modify a security profile group | Security Profile Admin role (networksecurity.securityProfileAdmin)
on the organization where the security profile group is created. |
| View details about the security profile group in an organization | Security Profile Admin role (networksecurity.securityProfileAdmin)
on the organization where the security profile group is created. |
| View all security profile groups in an organization | Security Profile Admin role (networksecurity.securityProfileAdmin)
on the organization where the security profile group is created. |
| Use a security profile group in an in-band integration policy rule | Security Profile Admin role (networksecurity.securityProfileAdmin)
on the organization where the security profile group is created. |
If you don't have the Security Profile Admin role
(networksecurity.securityProfileAdmin), you can create security
profile groups with the following permissions:
networksecurity.securityProfileGroups.createnetworksecurity.securityProfileGroups.deletenetworksecurity.securityProfileGroups.getnetworksecurity.securityProfileGroups.listnetworksecurity.securityProfileGroups.updatenetworksecurity.securityProfileGroups.use
For more information about IAM permissions and predefined roles, see IAM permissions reference.
Quotas
To view quotas associated with security profile groups, see Quotas and limits.