A security profile group is a container for custom intercept security profiles. An intercept rule references a security profile group to enable the processing of network traffic within Network Security Integration.
This page provides a detailed overview of security profile groups and their capabilities.
Specifications
Security profile groups have the following specifications:
A security profile group is a global organizational-level or a project-level resource (Preview).
The name of a security profile group is configured in the following URL identifier format:
Organization-level:
organizations/ORGANIZATION_ID/locations/global/securityProfileGroups/NAMEProject-level (Preview):
projects/PROJECT_ID/locations/global/securityProfileGroups/NAME
The
NAMEof the security profile group must meet the following requirements:- A string 1-63 characters long
- Contains only lowercase alphanumeric characters or hyphens (-)
- Starts with a letter
Examples:
- Organization-level security profile group:
organizations/2345678432/locations/global/securityProfileGroups/example-security-profile-group. - Project-level security profile group (Preview):
projects/my-project-123/locations/global/securityProfileGroups/example-security-profile-group.
If you use the unique URL identifier for the security profile group name, the URL already includes the organization or project, and the location. If you specify only the short name, you must provide the organization ID or the project ID and the location separately when you use
gcloudcommands.You can add only one security profile to a security profile group.
A firewall rule must contain the name of the security profile group to be used by the intercept endpoints.
Security profile groups apply to in-band integration firewall policies only when you add a firewall rule with the action
APPLY_SECURITY_PROFILE_GROUP. You can configure security profile groups in hierarchical firewall policy rules and global network firewall policy rules.Depending on the firewall rule's flag direction, the rule can affect both incoming and outgoing traffic within the Virtual Private Cloud (VPC) network. The intercepted traffic is then sent to the intercept endpoint group defined in the security profile referenced by the configured security profile group. Subsequently, the intercept endpoint group redirects the intercepted traffic to the producer deployment group attached by network deployments.
Each security profile group must have an associated project ID. The associated project is used for quotas. If you authenticate your service account by using the
gcloud auth activate-service-accountcommand, you can associate your service account with the security profile group. To learn more about how to create a security profile group, see Create and manage security profile groups.When you add security profiles to a security profile group, the following constraints apply:
Identity and Access Management roles
The following table describes the Identity and Access Management (IAM) roles required for managing the security profile groups:
| Ability | Necessary role |
|---|---|
| Create a security profile group | Security
Profile Admin role (networksecurity.securityProfileAdmin)
on the organization or the project where you want to create a
security profile group. |
| Modify a security profile group | Security
Profile Admin role (networksecurity.securityProfileAdmin)
on the organization or the project where the security profile group
exists. |
| View details about the security profile group in an organization or a project | Security
Profile Admin role (networksecurity.securityProfileAdmin)
on the organization or the project where the security profile group
exists. |
| View all security profile groups in an organization or a project | Security
Profile Admin role (networksecurity.securityProfileAdmin)
on the organization or the project where the security profile group
exists. |
| Use a security profile group in an in-band integration policy rule in an organization or a project | Security
Profile Admin role (networksecurity.securityProfileAdmin)
on the organization or the project where the security profile group
exists. |
If you don't have the Security Profile Admin role
(networksecurity.securityProfileAdmin), you can create security
profile groups with the following permissions:
networksecurity.securityProfileGroups.createnetworksecurity.securityProfileGroups.deletenetworksecurity.securityProfileGroups.getnetworksecurity.securityProfileGroups.listnetworksecurity.securityProfileGroups.updatenetworksecurity.securityProfileGroups.use
For more information about IAM permissions and predefined roles, see IAM permissions reference.
Quotas
To view quotas associated with security profile groups, see Quotas and limits.