Security profile groups overview

A security profile group is a container for custom security profiles. A mirroring rule references a security profile group to enable the processing of network traffic within Network Security Integration.

This document provides a detailed overview of security profile groups and their capabilities.

Specifications

• A security profile group is a global organizational-level or a project-level resource (Preview).

• The name of a security profile group is configured in the following URL identifier format:

  • Organization-level: organizations/ORGANIZATION_ID/locations/global/securityProfileGroups/NAME

  • Project-level (Preview): projects/PROJECT_ID/locations/global/securityProfileGroups/NAME

  The NAME of the security profile group must meet the following requirements:

  • A string 1-63 characters long
  • Contains only lowercase alphanumeric characters or hyphens (-)
  • Starts with a letter

  Examples:

  • Organization-level security profile group: organizations/2345678432/locations/global/securityProfileGroups/example-security-profile-group.
  • Project-level security profile group (Preview): projects/my-project-123/locations/global/securityProfileGroups/example-security-profile-group.

  If you use the unique URL identifier for the security profile group name, the URL already includes the organization or project, and the location. If you specify only the short name, you must provide the organization ID or the project ID and the location separately when you use gcloud commands.

• You can add only one security profile of type CUSTOM_MIRRORING to a security profile group.

• A mirroring rule must contain the name of the security profile group to be used by the mirroring endpoints.

• Security profile groups apply to packet mirroring policies only when you add a mirroring rule with the action MIRROR. You can configure security profile groups in hierarchical firewall policy rules and global network firewall policy rules.

• Depending on the mirroring rule's flag direction, the rule affects both incoming and outgoing traffic within the Virtual Private Cloud (VPC) network. The mirrored traffic is then sent to the mirroring endpoint group defined in the security profile referenced by the configured security profile group. Subsequently, the mirroring endpoint group redirects the mirrored traffic to the producer deployment group attached by third-party deployments.

• Each security profile group must have an associated project ID. The associated project is used for quotas and access restrictions on security profile group resources. If you authenticate your service account by using the gcloud auth activate-service-account command, you can associate your service account with the security profile group. To learn more about how to create a security profile group, see Create and manage security profile groups.

• When you add security profiles to a security profile group, the following constraints apply:

  • An organization-level security profile group can reference only organization-level security profiles.
  • A project-level security profile group (Preview) can reference only project-level security profiles (Preview) in the same project.

Identity and Access Management roles

The following table describes the roles that are necessary for each step.

Ability	Necessary role
Create a security profile group	Security Profile Admin role (networksecurity.securityProfileAdmin) on the organization or the project where you want to create a security profile group.
Modify a security profile group	Security Profile Admin role (networksecurity.securityProfileAdmin) on the organization or the project where the security profile group exists.
View details about the security profile group in an organization or a project	Any of the following roles on the organization or the project where the security profile group exists: Security Profile Admin role (networksecurity.securityProfileAdmin) Compute Network User role (compute.networkUser) Compute Network Viewer role (compute.networkViewer)
View all of the security profile groups in an organization or a project	Any of the following roles on the organization or the project where the security profile group exists: Security Profile Admin role (networksecurity.securityProfileAdmin) Compute Network User role (compute.networkUser) Compute Network Viewer role (compute.networkViewer)
Use a security profile group in a packet mirroring policy rule in an organization or a project	Any of the following roles on the organization or the project where the security profile group exists: Security Profile Admin role (networksecurity.securityProfileAdmin) Compute Network User role (compute.networkUser)

If you don't have the Security Profile Admin role (roles/networksecurity.securityProfileAdmin), you can create and manage security profile groups with the following permissions:

• networksecurity.securityProfileGroups.create
• networksecurity.securityProfileGroups.delete
• networksecurity.securityProfileGroups.get
• networksecurity.securityProfileGroups.list
• networksecurity.securityProfileGroups.update
• networksecurity.securityProfileGroups.use

For more information about IAM permissions and predefined roles, see IAM permissions reference.

Quotas

To view quotas associated with security profile groups, see Quotas and limits.

What's next

• Create and manage security profile groups
• Create and manage custom security profiles