Create and manage custom intercept security profiles

This page describes how to create and manage custom intercept security profiles.

Before you begin

Roles

To get the permissions that you need to create, view, update, or delete custom intercept security profiles, ask your administrator to grant you the necessary IAM roles on your organization. For more information about granting roles, see Manage access to projects, folders, and organizations.

To check the progress of the operations listed on this page, make sure that your user role has the following Compute Network User role (roles/compute.networkUser) permissions:

  • networksecurity.operations.get
  • networksecurity.operations.list

Create a custom intercept security profile

For in-band integration, you can only create a security profile of type custom-intercept. You can create security profiles at organization or project level (Preview).

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. From the project picker, select your organization or the project (Preview).

  3. In the Security profiles tab, click Create profile.

  4. For Name, enter a name.

  5. For Security profile purpose, select NSI in-band.

  6. For Project, select the project that hosts the intercept endpoint group.

  7. For Intercept endpoint group, select the intercept endpoint group.

  8. Click Create.

gcloud

To create a custom intercept security profile for in-band integration, use the gcloud network-security security-profiles custom-intercept create command:

gcloud network-security security-profiles custom-intercept create CUSTOM_INTERCEPT_PROFILE_NAME \
    --organization ORGANIZATION_ID | --project PROJECT_ID \
    --location global \
    [--billing-project QUOTA_PROJECT_ID] \
    --intercept-endpoint-group \
        projects/ENDPOINT_GROUP_PROJECT_ID/locations/global/interceptEndpointGroups/ENDPOINT_GROUP_ID

Replace the following:

  • CUSTOM_INTERCEPT_PROFILE_NAME: the name of the security profile.

    If you don't specify the name in the unique URL identifier format, you must specify the organization or the project name, and the location.

  • ORGANIZATION_ID: your organization ID. Use this flag to create an organization-level security profile.

  • PROJECT_ID: your project ID. Use this flag to create a project-level security profile (Preview).

    The --project flag is available in (Preview). To use this flag, run the gcloud beta network-security security-profiles custom-intercept create command.

  • QUOTA_PROJECT_ID: your quota project ID. Use this flag only for organization-level security profile.

  • ENDPOINT_GROUP_PROJECT_ID: the project ID where you created the intercept endpoint group.

  • ENDPOINT_GROUP_ID: the ID of the endpoint group.

Terraform

To create a security profile, you can use a google_network_security_security_profile resource.

resource "google_network_security_security_profile" "default" {
  name     = "security-profile"
  type     = "CUSTOM_INTERCEPT"
  parent   = "organizations/${data.google_organization.default.org_id}"
  location = "global"

  custom_intercept_profile {
    intercept_endpoint_group = google_network_security_intercept_endpoint_group.default.id
  }
}

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

List and view details of a custom intercept security profile

You can list security profiles in an organization or a project (Preview), and view the details of a profile, such as its name and endpoint group ID.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. From the project picker, select your organization or the project (Preview). The tab lists all security profiles.

  3. In the Security profiles tab, click the name of the security profile.

gcloud

To list all the custom intercept security profiles, use the gcloud network-security security-profiles custom-intercept list command:

gcloud network-security security-profiles custom-intercept list \
    --organization ORGANIZATION_ID | --project PROJECT_ID \
    --location global \
    [--billing-project QUOTA_PROJECT_ID]

To view details of a custom intercept security profile, use the gcloud network-security security-profiles custom-intercept describe command:

gcloud network-security security-profiles custom-intercept describe CUSTOM_INTERCEPT_PROFILE_NAME \
    --organization ORGANIZATION_ID | --project PROJECT_ID \
    [--billing-project QUOTA_PROJECT_ID] \
    --location global

Replace the following:

  • CUSTOM_INTERCEPT_PROFILE_NAME: the name of the security profile.

    If you don't specify the name in the unique URL identifier format, you must specify the organization or the project name, and the location.

  • ORGANIZATION_ID: your organization ID where the security profile exists.

  • PROJECT_ID: your project ID where the security profile exists.

    The --project flag is available in (Preview). To use this flag, run the gcloud beta network-security security-profiles custom-intercept describe command.

  • QUOTA_PROJECT_ID: your quota project ID. Use this flag only for organization-level security profiles.

The output is similar to the following:

  • Organization-level security profiles: organizations/ORGANIZATION_ID/locations/global/securityProfiles/CUSTOM_INTERCEPT_PROFILE_NAME
  • Project-level security profiles (Preview): projects/PROJECT_ID/locations/global/securityProfiles/CUSTOM_INTERCEPT_PROFILE_NAME

Delete a custom intercept security profile

You can delete a custom intercept security profile by specifying its name, location, and organization or project. Before you delete the security profile, make sure that it isn't used by a security profile group.

Console

  1. In the Google Cloud console, go to the Security profiles page.

    Go to Security profiles

  2. From the project picker, select your organization or the project (Preview).

  3. In the Security profiles tab, select the checkbox of the security profile, and then click Delete.

  4. Click Delete again to confirm.

gcloud

To delete a custom intercept security profile, use the gcloud network-security security-profiles custom-intercept delete command:

gcloud network-security security-profiles custom-intercept delete CUSTOM_INTERCEPT_PROFILE_NAME \
    --organization ORGANIZATION_ID | --project PROJECT_ID \
    [--billing-project QUOTA_PROJECT_ID] \
    --location global

Replace the following:

  • CUSTOM_INTERCEPT_PROFILE_NAME: the name of the custom intercept security profile that you want to delete.

    If you don't specify the name in the unique URL identifier format, you must specify the organization or the project name, and the location.

  • ORGANIZATION_ID: your organization ID where the security profile exists.

  • PROJECT_ID: your project ID where the security profile exists.

    The --project flag is available in (Preview). To use this flag, run the gcloud beta network-security security-profiles custom-intercept delete command.

  • QUOTA_PROJECT_ID: your quota project ID. Use this flag only for organization-level security profiles.

What's next