A security profile is a custom global policy that the intercept firewall rules apply to the intercepted traffic.
Security profiles define how the Network Security Integration service handles your network traffic. You use security profiles to associate an endpoint group with the Virtual Private Cloud (VPC) network. When used with a firewall rule, a security profile directs the network traffic to the intercept endpoint group.
This page provides a detailed overview of security profiles and their capabilities.
Specifications
Security profiles have the following specifications:
The name of a security profile is configured in the following URL identifier format:
Organization-level:
organizations/ORGANIZATION_ID/locations/global/securityProfiles/NAMEProject-level (Preview):
projects/PROJECT_ID/locations/global/securityProfiles/NAME
The
NAMEof the security profile must meet the following requirements:- A string 1-63 characters long
- Contains only lowercase alphanumeric characters or hyphens (-)
- Starts with a letter
Examples:
- Organization-level security profile:
organizations/2345678432/locations/global/securityProfiles/example-security-profile. - Project-level security profile (Preview):
projects/my-project-123/locations/global/securityProfiles/example-security-profile.
If you use the unique URL identifier for the security profile name, the URL already includes the organization or project, and the location. If you specify only the short name, you must provide the organization ID or the project ID and the location separately when you use
gcloudcommands.After you create a security profile, attach it to a security profile group. This network firewall policy of the VPC network references the security profile to process your network traffic within Network Security Integration.
Traffic that matches the network firewall policy rule is sent to the endpoint group referenced by the security profile.
Associate each security profile with a project ID. The associated project is used for quotas on security profile resources. If you authenticate your service account by using the
gcloud auth activate-service-accountcommand, you can associate your service account with the security profile. To learn more about how to create a security profile, see Create and manage custom security profiles.
Identity and Access Management roles
The following table describes the Identity and Access Management (IAM) roles required for managing the security profiles:
| Ability | Necessary role |
|---|---|
| Create a custom intercept security profile | Security Profile Admin role (networksecurity.securityProfileAdmin)
on the organization or the project where you want to create a custom
security profile. |
| Modify a custom intercept security profile | Security Profile Admin role (networksecurity.securityProfileAdmin)
on the organization or the project where the custom security profile
exists. |
| View details about the custom intercept security profile in an organization or a project | Security Profile Admin role (networksecurity.securityProfileAdmin)
on the organization or the project where the custom security profile
exists. |
| View all custom intercept security profiles in an organization or a project | Security Profile Admin role (networksecurity.securityProfileAdmin)
on the organization or the project where the custom security profile
exists. |
| Use a custom intercept security profile in a security profile group | Security Profile Admin role (networksecurity.securityProfileAdmin)
on the organization or the project where the custom security profile
exists. |
If you don't have the
Security Profile Admin role
(roles/networksecurity.securityProfileAdmin), you can create a custom
intercept security profile with the following permissions:
networksecurity.securityProfiles.createnetworksecurity.securityProfiles.deletenetworksecurity.securityProfiles.getnetworksecurity.securityProfiles.listnetworksecurity.securityProfiles.updatenetworksecurity.securityProfiles.use
For more information about the IAM permissions and the predefined roles, see IAM permissions reference.
Quotas
To view quotas associated with custom intercept security profiles, see Quotas and limits.