Create and manage mirroring deployment groups

Create a mirroring deployment group to represent the producer services across different zones within a project.

This page explains how to configure the mirroring deployment groups.

Before you begin

Roles

To get the permissions that you need to create, view, or delete mirroring deployment groups, ask your administrator to grant you the necessary Identity and Access Management (IAM) roles on your project. For more information about granting roles, see Manage access to projects, folders, and organizations.

To check the progress of the operations listed on this page, make sure that your user role has the following Mirroring Deployment Admin role (roles/networksecurity.mirroringDeploymentAdmin) permissions:

  • networksecurity.mirroringDeployments.create
  • networksecurity.mirroringDeployments.delete
  • networksecurity.mirroringDeployments.get
  • networksecurity.mirroringDeployments.list

Create a mirroring deployment group

The mirroring deployment group is a collection of mirroring deployments. You create a mirroring deployment group across different locations within a project. The deployment group references the network in which all deployments are created.

When you create a mirroring deployment group, you can specify the name of the mirroring deployment group as a string or as a unique URL identifier. The unique URL for a project-scoped mirroring deployment group can be constructed in the following format:

projects/PROJECT_ID/locations/global/mirroringDeploymentGroups/DEPLOYMENT_GROUP_ID

Replace the following:

  • PROJECT_ID: ID of the project.

  • DEPLOYMENT_GROUP_ID: ID of the mirroring deployment group.

If you use a unique URL identifier for the mirroring deployment group name, the project and location of the mirroring deployment group is already included in the URL identifier. However, if you use only the mirroring deployment group name, you must specify the project and location separately. For more information about unique URL identifiers, see mirroring deployment group specifications.

Console

  1. In the Google Cloud console, go to the Deployment groups page.

    Go to Deployment groups

  2. Click Create deployment group.

  3. For Name, enter a unique name of the deployment group.

  4. For Network, select a VPC network. All mirroring deployments must reference internal passthrough Network Load Balancers that use this network.

  5. For Purpose, select NSI out-of-band.

  6. Click Create.

gcloud

To create a mirroring deployment group, use the gcloud beta network-security mirroring-deployment-groups create command:

 gcloud beta network-security mirroring-deployment-groups \
     create DEPLOYMENT_GROUP \
     --location global \
     --project PROJECT \
     --network NETWORK \
     --no-async

Replace the following:

  • DEPLOYMENT_GROUP: the name of the mirroring deployment group; you can specify the name as a string or as a unique URL identifier.

  • PROJECT: the project name of the mirroring deployment group.

  • NETWORK: the name of your network.

Terraform

To create a mirroring deployment group, you can use a google_network_security_mirroring_deployment_group resource.

resource "google_network_security_mirroring_deployment_group" "default" {
  mirroring_deployment_group_id = "mirroring-deployment-group"
  location                      = "global"
  network                       = google_compute_network.default.id
}

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

View a mirroring deployment group

You can view the details of a specific mirroring deployment group in a project.

Console

  1. In the Google Cloud console, go to the Deployment groups page.

    Go to Deployment groups

  2. Click the deployment group.

gcloud

To view details of a mirroring deployment group, use the gcloud network-security mirroring-deployment-groups describe command:

gcloud network-security mirroring-deployment-groups \
    describe DEPLOYMENT_GROUP \
    --project PROJECT \
    --location global

Replace the following:

  • DEPLOYMENT_GROUP: the name of the mirroring deployment group.

  • PROJECT: the project name of the mirroring deployment group.

List mirroring deployments

You can list all the mirroring deployment groups in your project.

Console

To see all the mirroring deployment groups of the project, complete the following step:

  1. In the Google Cloud console, go to the Deployment groups page.

    Go to Deployment groups

  2. To list the mirroring deployment groups, click filter_listFilter.

  3. From the Properties list, select Purpose and then for Value, select NSI out-of-band.

gcloud

To list mirroring deployment groups, use the gcloud network-security mirroring-deployment-groups list command:

 gcloud network-security mirroring-deployment-groups list \
     --project PROJECT

Replace PROJECTwith the name of the project where the mirroring deployment groups is created.

Delete a mirroring deployment group

You can delete a mirroring deployment by specifying its name, location, and project. However, if a mirroring deployment group is referenced by a mirroring deployment then it cannot be deleted.

Console

  1. In the Google Cloud console, go to the Deployment groups page.

    Go to Deployment groups

  2. Select the checkbox of the deployment group and click Delete.

  3. Click Delete again to confirm.

gcloud

To delete a mirroring deployment group, use the gcloud network-security mirroring-deployment-groups delete command:

 gcloud network-security mirroring-deployment-groups \
     delete DEPLOYMENT_GROUP \
     --location global \
     --project PROJECT \
     --no-async

Replace the following:

  • DEPLOYMENT_GROUP: the name of the mirroring deployment group that you want to delete.

  • PROJECT: the project name of the mirroring deployment group.

What's next