Skip to content

GCP packet mirroring tutorial

Network Packet Mirroring captures real-time activity without impacting network performance. This tutorial provides step-by-step instructions for implementing packet mirroring in Google Cloud Platform (GCP) to capture live network traffic data for AQtive Guard analysis.

This tutorial is based on the official Google Cloud documentation for Packet mirroring. It provides steps for mirroring traffic within a single Virtual Private Cloud (VPC) and zone using the GCP Console.

Important

This tutorial is provided as a starting point. Refer to the official GCP documentation and enhance as necessary to safely implement network packet mirroring in your specific production environment.

Prerequisites

To enable GCP packet mirroring, you’ll need the following:

  • GCP project where resources are managed. You’ll select this GCP project during the configuration process.
  • Appropriate permissions within the selected project. A role such as roles/editor contains the necessary permissions to perform the required tasks.

Tip

Assume that any settings in the console not explicitly mentioned in these instructions are sane defaults that only require modification to meet the requirements of your specific environment.

Configuration

To enable GCP packet mirroring, you’ll perform the following four main steps:

  1. Create Collector Instance(s) to receive mirrored traffic.
  2. Create an Internal Passthrough Network Load Balancer and configure it to route mirrored traffic from the source to the collector instances.
  3. Configure Firewall Rules to secure the mirrored traffic.
  4. Create a Packet Mirroring Policy to specify which traffic will be mirrored and routed to the collector instance(s).

The following sections provide detailed instructions for each of these steps.

Create Collector Instance(s)

To create a collector instance, you’ll first need to create an instance template and then set up a Managed Instance Group (MIG).

Create an Instance Template

  1. In the Google Cloud console, navigate to Instance templates.
  2. Select Create instance template and enter a template name.
  3. In the Location section, select the location for the connection:
    • Global - allows you to use the instance template across multiple regions.
    • Regional - select the location where you want to create the instance template.

  4. Under Machine Configuration, select a Machine type suitable for the amount of traffic to be mirrored.

    Tip

    For testing purposes, n2-standard-2 is typically sufficient. However, if you experience dropped packets during capture, it’s a signal that the machine type is under-provisioned.

  5. Under Boot disk, select Change.

    • Select an appropriate OS image for your instance.
    • Adjust the disk size to meet your requirements.
  6. Expand the Advanced options and select Networking.
    • In Network tags, add a suitable tag such as packet-collector to target this instance later.
    • Update the network interface or IP address settings if required.
  7. Select Create to create the instance template.

Create a Managed Instance Group

  1. In the Google Cloud console, navigate to Instance groups, then select Create instance group.
  2. Select New managed instance group (stateless) and enter an instance group name.
  3. In the Instance template dropdown, select the template you created previously.
  4. Under Location:
    • Select Single zone.
    • From the Region and Zone dropdowns, select the location of the network resources where you want to mirror traffic.

  5. The Autoscaling section is enabled by default for stateless groups:

    • Set Minimum number of instances to 1.
    • Set Maximum number of instances to 2 for high availability, or 1 for testing or low-throughput scenarios.

    This configuration will scale the group based on resource usage and instance status.

  6. Select Create to create the MIG.

Create an Internal Passthrough Network Load Balancer

Follow these steps to create a Network Load Balancer (NLB) to route mirrored traffic from the source to the collector instances.

NLB considerations

Review these important considerations before configuring the NLB for Packet Mirroring:

  • Enable Packet Mirroring. Packet Mirroring must be enabled when creating the NLB.

    Caution

    This setting cannot be changed after the NLB is created.

  • Region Alignment. The NLB must be in the same region as the resources whose traffic will be mirrored.
  • Backend Configuration.
    • The NLB backend service must use a session affinity of NONE.
    • Backend subsetting must be disabled.

Create an NLB

  1. In the Google Cloud console, navigate to Load balancing.
  2. Select Create load balancer.
  3. Configure the following, selecting Next after each:
    • Type of load balancer - Network Load Balancer (TCP/UDP/SSL)
    • Proxy or passthrough - Passthrough load balancer
    • Public facing or internal - Internal
  4. Under Create load balancer, select Configure to proceed with the setup.

Complete NLB configuration

  1. Enter a Load Balancer name.
  2. Select the Region that matches the region of the resources where you want to mirror traffic.
  3. Select the Network for the resources where you want to mirror traffic.
  4. Select Backend configuration.
  5. Under Backend service configure the following:
    • Backend type - Instance group
    • Protocol - TCP
  6. In the New backend section, select the Instance group you created previously to forward packets to.
  7. From the Health check list, select Create a health check, then configure and save the following:
    • Name - enter a name for the health check
    • Protocol - TCP
    • Port - 22
  8. Click Frontend configuration.

  9. Under New Frontend IP and port, configure the following:

    • Name - enter a name for the frontend.
    • Subnetwork - select a subnetwork in the same region as the instances to mirror.
    • Ports - All
    • Advanced configurations - expand and select the checkbox for Enable this load balancer for Packet Mirroring

    When complete, select Done.

  10. Select Create.

Configure Firewall Rules

Follow these steps to configure firewall rules to secure the VPC for Packet Mirroring traffic.

Firewall rule considerations

Review these important considerations before creating firewall rules:

  • Egress Rules - Make sure that no firewall rules override the implied egress rule. This allows mirrored traffic to flow from the source resources to the destination instances behind the NLB.

  • Allow Traffic to Collector Instances - Ensure the packet collector instances in the MIG behind the NLB can retrieve traffic from the IP ranges of the mirrored resources.

    • To allow collector instances to receive IPv4 traffic from any resource, create a firewall rule with a source IPv4 address range of 0.0.0.0/0.
    • To allow collector instances to receive IPv6 traffic from any resource, create a firewall rule with a source IPv6 address range of ::/0.

    Important

    To prevent internet traffic from reaching the collector instances, make sure they have only internal IPv4 and IPv6 addresses.

  • Cloud NAT Traffic - For internet traffic passing through Cloud NAT to be mirrored properly to the collector instance(s), make sure a rule exists that:
    • allows all traffic
    • selects collector instances by network tag

Firewall rules for packet mirroring

You’ll need to create the following firewall rules to enable packet mirroring:

  • Allow Traffic to the Packet Collector
  • Allow Health Checks to the Packet Collector
  • Allow Traffic to the Packet Collector via Network Tag

The following sections provide detailed configuration instructions for each rule.

Create a Rule to Allow Traffic to the Packet Collector

  1. In the Google Cloud console, navigate to Firewall policies and select Create firewall rule.
  2. Enter a Name for the rule.
  3. From the Network dropdown, select the network you’re mirroring traffic to and configure the following:
    • Direction of traffic - Ingress
    • Action on match - Allow
    • Targets - All instances in the network
    • Source filter - IPv4 ranges
    • Source IPv4 ranges - Enter 0.0.0.0/0 to allow all traffic on the network to be mirrored
    • Destination filter - Select IPv4 ranges and enter the IP address ranges for the:
      • Internal passthrough NLB
      • Packet collector instances in Destination IPv4 ranges
    • Protocols and ports - Allow all
  4. Select Create to create the rule.

Create a Rule to Allow Health Checks to the Packet Collector

  1. In the Google Cloud console, navigate to Firewall policies and select Create firewall rule.
  2. Enter a Name for the rule.
  3. From the Network dropdown, select the network you’re mirroring traffic to and configure the following:
    • Direction of traffic - Ingress
    • Action on match - Allow
    • Targets - All instances in the network
    • Source filter - IPv4 ranges
    • Source IPv4 ranges - 130.211.0.0/22 and 35.191.0.0/16 for the Google Cloud health check address ranges
    • Destination filter - select IPv4 ranges and enter the IP address ranges for the: - Internal passthrough NLB - Packet collector instances in Destination IPv4 ranges
    • Protocols and ports - Allow all
  4. Select Create to create the rule.

Create a Rule to Allow Traffic to the Packet Collector via Network Tag

  1. In the Google Cloud console, navigate to Firewall policies and select Create firewall rule.
  2. Enter a Name for the rule.
    • Direction of traffic - Ingress
    • Action on match - Allow
    • Targets - Specified target tags
    • Target tags - enter the network tag specified during instance template creation
    • Source filter - select a filter that matches your network ranges. In most cases this will be IPv4 ranges
      • Enter an appropriate filter. If IPv4 ranges was selected, enter 0.0.0.0/0 to allow all IPv4 traffic
    • Destination filter - IPv4 ranges
    • Destination IPv4 ranges - 0.0.0.0/0
    • Protocols and ports - Allow all
  3. Select Create to create the rule.

Create a Packet Mirroring Policy

  1. In the Google Cloud console, navigate to Packet Mirroring and select Create policy.

  2. Configure the following settings, then select Continue:

    • Name: Enter a name for the packet mirroring policy.

    • Region: Select the region that includes the mirrored sources and collector destination.

      Note

      The policy must be in the same region as the source and destination.

    • Enabled: Select this to activate the policy upon creation.
    • VPC Networks: Select the VPC networks where the mirrored source and collector destination are located, then select Continue.
    • Mirrored sources and destination:
      • Select Mirrored sources and destination are in the same VPC network
      • Select the network.

  3. Select Mirrored sources:

    • You can select one or more sources. Google Cloud mirrors any instance that matches at least one of your selected sources.
    • Subnets: Select one or more subnets. Google Cloud mirrors existing and future instances in the selected subnets.
    • Select Continue.
  4. Select the internal passthrough Network Load Balancer (NLB) configured for Packet Mirroring, then select Continue.
  5. Configure the traffic to mirror:
    • Mirror all IPv4 traffic - select this option to mirror all IPv4 traffic.
    • Mirror filtered traffic - select this option to mirror both IPv4 and IPv6 traffic, and configure the following:
      • Allow all protocols
      • Allow all IPv4 ranges (0.0.0.0/0)
      • Allow all IPv6 ranges (::/0)
      • Allow both ingress and egress traffic
  6. Configure the Traffic direction of the traffic that you want to mirror.
  7. Select Submit to create the packet mirroring policy.