A security profile is a custom global, organization-level policy that the intercept firewall rules apply to the intercepted traffic.
Security profiles define how the Network Security Integration service handles your network traffic. You use security profiles to to associate an endpoint group with the Virtual Private Cloud (VPC) network. When used with a firewall rule, a security profile directs the network traffic to the intercept endpoint group.
This page provides a detailed overview of security profiles and their capabilities.
Specifications
Security profiles have the following specifications:
A security profile is a custom global organizational-level resource.
The name of a security profile is configured in the following format:
organizations/ORGANIZATION_ID/locations/global/securityProfiles/SECURITY_PROFILE_IDFor example, the name for the security profile group ID
example-security-profilein organizationexample-orgisorganizations/example-org/locations/global/securityProfiles/example-security-profile.After you create a security profile, attach it to a security profile group. This network firewall policy of the VPC network references the security profile to process your network traffic within Network Security Integration.
Traffic that matches the network firewall policy rule is sent to the endpoint group referenced by the security profile.
Associate each security profile with a project ID. The associated project is used for quotas on security profile resources. If you authenticate your service account by using the
gcloud auth activate-service-accountcommand, you can associate your service account with the security profile. To learn more about how to create a security profile, see Create and manage custom security profiles.
Identity and Access Management roles
The following table describes the Identity and Access Management (IAM) roles required for managing the security profiles:
| Ability | Necessary role |
|---|---|
| Create a custom intercept security profile | Security Profile Admin role (networksecurity.securityProfileAdmin)
on the organization where the custom intercept security profile is created. |
| Modify a custom intercept security profile | Security Profile Admin role (networksecurity.securityProfileAdmin)
on the organization where the custom intercept security profile is created. |
| View details about the custom intercept security profile in an organization | Security Profile Admin role (networksecurity.securityProfileAdmin)
on the organization where the custom intercept security profile is created. |
| View all custom intercept security profiles in an organization | Security Profile Admin role (networksecurity.securityProfileAdmin)
on the organization where the custom intercept security profile is created. |
| Use a custom intercept security profile in a security profile group | Security Profile Admin role (networksecurity.securityProfileAdmin)
on the organization where the custom intercept security profile is created. |
If you don't have the
Security Profile Admin
role
(networksecurity.securityProfileAdmin), you can create custom intercept security
profile with the following permissions:
networksecurity.securityProfiles.createnetworksecurity.securityProfiles.deletenetworksecurity.securityProfiles.getnetworksecurity.securityProfiles.listnetworksecurity.securityProfiles.updatenetworksecurity.securityProfiles.use
For more information about the IAM permissions and the predefined roles, see IAM permissions reference.
Quotas
To view quotas associated with custom intercept security profiles, see Quotas and limits.