Create and manage security profile groups

This page describes how to create and manage security profile groups with a custom intercept security profile.

Before you begin

Roles

To get the permissions that you need to create, view, update, or delete security profile groups, ask your administrator to grant you the required Identity and Access Management (IAM) roles on your organization or project. For more information about granting roles, see Manage access to projects, folders, and organizations.

To check the progress of the operations listed on this page, make sure that your user role has the following Compute Network User role (roles/compute.networkUser) permissions:

  • networksecurity.operations.get
  • networksecurity.operations.list

Create a security profile group

You can create security profile groups at organization or project level (Preview). We recommend that you create the security profile group in a project owned by your security administrator.

Console

  1. In the Google Cloud console, go to the Security profile groups page.

    Go to Security profile groups

  2. From the project picker, select your organization or the project (Preview).

  3. In the Security profile groups tab, click Create profile group.

  4. For Name, enter the name of the security profile group.

  5. For Security profile group purpose, select NSI in-band.

  6. For Custom intercept profile, select the custom security profile for in-band integration.

  7. Click Create.

gcloud

To create a security profile group, use the gcloud network-security security-profile-groups create command:

gcloud network-security security-profile-groups create SECURITY_PROFILE_GROUP_NAME \
    --custom-intercept-profile CUSTOM_INTERCEPT_PROFILE_ID \
    --organization ORGANIZATION_ID | --project PROJECT_ID \
    [--billing-project QUOTA_PROJECT_ID] \
    --location global

Replace the following:

  • SECURITY_PROFILE_GROUP_NAME: the name of the security profile group.

    If you don't specify the name in the unique URL identifier format, you must specify the organization or the project name, and the location.

  • CUSTOM_INTERCEPT_PROFILE_ID: the ID of the custom intercept security profile.

  • ORGANIZATION_ID: your organization ID. Use this flag to create an organization-level security profile group.

  • PROJECT_ID: your project ID. Use this flag to create a project-level security profile group (Preview).

    The --project flag is available in (Preview). To use this flag, run the gcloud beta network-security security-profile-groups create command.

  • QUOTA_PROJECT_ID: your quota project ID. Use this flag only for organization-level security profile groups.

Terraform

To create a security profile group, you can use a google_network_security_security_profile_group resource.

resource "google_network_security_security_profile_group" "default" {
  name                     = "security-profile-group"
  parent                   = "organizations/${data.google_organization.default.org_id}"
  location                 = "global"
  custom_intercept_profile = google_network_security_security_profile.default.id
}

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

List and view details of a security profile group

You can list security profile groups in an organization or a project (Preview), and view the details of a group, such as its name and custom intercept profile.

Console

  1. In the Google Cloud console, go to the Security profile groups page.

    Go to Security profile groups

  2. From the project picker, select your organization or the project (Preview). The tab lists all security profile groups.

  3. In the Security profile groups tab, click the name of the security profile group to see its details.

gcloud

To list security profile groups, use the gcloud network-security security-profile-groups list command:

gcloud network-security security-profile-groups list \
    --organization ORGANIZATION_ID | --project PROJECT_ID \
    --location global \
    [--billing-project QUOTA_PROJECT_ID]

To view details of a security profile group, use the gcloud network-security security-profile-groups describe command:

gcloud network-security security-profile-groups describe SECURITY_PROFILE_GROUP_NAME \
    --organization ORGANIZATION_ID | --project PROJECT_ID \
    [--billing-project QUOTA_PROJECT_ID] \
    --location global

Replace the following:

  • SECURITY_PROFILE_GROUP_NAME: the name of the security profile group.

    If you don't specify the name in the unique URL identifier format, you must specify the organization or the project name, and the location.

  • ORGANIZATION_ID: your organization ID where the security profile group exists.

  • PROJECT_ID: your project ID where the security profile group exists.

    The --project flag is available in (Preview). To use this flag, run the gcloud beta network-security security-profile-groups describe command.

  • QUOTA_PROJECT_ID: your quota project ID. Use this flag only for organization-level security profile groups.

The output displays security profile group names in the following formats:

  • Organization-level security profile groups: organizations/ORGANIZATION_ID/locations/global/securityProfileGroups/SECURITY_PROFILE_GROUP_NAME
  • Project-level security profile groups (Preview): projects/PROJECT_ID/locations/global/securityProfileGroups/SECURITY_PROFILE_GROUP_NAME

Delete a security profile group

Before you delete a security profile group, delete the custom intercept security profile that references the security profile group.

Console

  1. In the Google Cloud console, go to the Security profile groups page.

    Go to Security profile groups

  2. From the project picker, select your organization or the project (Preview).

  3. In the Security profile groups tab, select the checkbox of the security profile group and click Delete.

  4. Click Delete again to confirm.

gcloud

To delete a security profile group, use the gcloud network-security security-profile-groups delete command:

gcloud network-security security-profile-groups delete SECURITY_PROFILE_GROUP_NAME \
    --organization ORGANIZATION_ID | --project PROJECT_ID \
    [--billing-project QUOTA_PROJECT_ID] \
    --location global

Replace the following:

  • SECURITY_PROFILE_GROUP_NAME: the name of the security profile group that you want to delete.

    If you don't specify the name in the unique URL identifier format, you must specify the organization or the project name, and the location.

  • ORGANIZATION_ID: your organization ID where the security profile group exists.

  • PROJECT_ID: your project ID where the security profile group exists.

    The --project flag is available in (Preview). To use this flag, run the gcloud beta network-security security-profile-groups delete command.

  • QUOTA_PROJECT_ID: your quota project ID. Use this flag only for organization-level security profile groups.

What's next