Skip to content

googleComputePacketMirroring

Packet Mirroring mirrors traffic to and from particular VM instances. You can use the collected traffic to help you detect security threats and monitor application performance.

To get more information about PacketMirroring, see:

Open in Cloud Shell

Example Usage - Compute Packet Mirroring Full

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googleComputeHealthCheckDefault =
  new google.computeHealthCheck.ComputeHealthCheck(this, "default", {
    check_interval_sec: 1,
    name: "my-healthcheck",
    tcp_health_check: [
      {
        port: "80",
      },
    ],
    timeout_sec: 1,
  });
const googleComputeNetworkDefault = new google.computeNetwork.ComputeNetwork(
  this,
  "default_1",
  {
    name: "my-network",
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
googleComputeNetworkDefault.overrideLogicalId("default");
const googleComputeRegionBackendServiceDefault =
  new google.computeRegionBackendService.ComputeRegionBackendService(
    this,
    "default_2",
    {
      health_checks: [googleComputeHealthCheckDefault.id],
      name: "my-service",
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
googleComputeRegionBackendServiceDefault.overrideLogicalId("default");
const googleComputeSubnetworkDefault =
  new google.computeSubnetwork.ComputeSubnetwork(this, "default_3", {
    ip_cidr_range: "10.2.0.0/16",
    name: "my-subnetwork",
    network: googleComputeNetworkDefault.id,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
googleComputeSubnetworkDefault.overrideLogicalId("default");
const googleComputeForwardingRuleDefault =
  new google.computeForwardingRule.ComputeForwardingRule(this, "default_4", {
    all_ports: true,
    backend_service: googleComputeRegionBackendServiceDefault.id,
    depends_on: [`\${${googleComputeSubnetworkDefault.fqn}}`],
    ip_protocol: "TCP",
    is_mirroring_collector: true,
    load_balancing_scheme: "INTERNAL",
    name: "my-ilb",
    network: googleComputeNetworkDefault.id,
    network_tier: "PREMIUM",
    subnetwork: googleComputeSubnetworkDefault.id,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
googleComputeForwardingRuleDefault.overrideLogicalId("default");
const googleComputeInstanceMirror = new google.computeInstance.ComputeInstance(
  this,
  "mirror",
  {
    boot_disk: [
      {
        initialize_params: [
          {
            image: "debian-cloud/debian-11",
          },
        ],
      },
    ],
    machine_type: "e2-medium",
    name: "my-instance",
    network_interface: [
      {
        access_config: [{}],
        network: googleComputeNetworkDefault.id,
      },
    ],
  }
);
new google.computePacketMirroring.ComputePacketMirroring(this, "foobar", {
  collector_ilb: [
    {
      url: googleComputeForwardingRuleDefault.id,
    },
  ],
  description: "bar",
  filter: [
    {
      cidr_ranges: ["0.0.0.0/0"],
      direction: "BOTH",
      ip_protocols: ["tcp"],
    },
  ],
  mirrored_resources: [
    {
      instances: [
        {
          url: googleComputeInstanceMirror.id,
        },
      ],
      tags: ["foo"],
    },
  ],
  name: "my-mirroring",
  network: [
    {
      url: googleComputeNetworkDefault.id,
    },
  ],
});

Argument Reference

The following arguments are supported:

  • name - (Required) The name of the packet mirroring rule

  • network - (Required) Specifies the mirrored VPC network. Only packets in this network will be mirrored. All mirrored VMs should have a NIC in the given network. All mirrored subnetworks should belong to the given network. Structure is documented below.

  • collectorIlb - (Required) The Forwarding Rule resource (of type load_balancing_scheme=INTERNAL) that will be used as collector for mirrored traffic. The specified forwarding rule must have is_mirroring_collector set to true. Structure is documented below.

  • mirroredResources - (Required) A means of specifying which resources to mirror. Structure is documented below.

The network block supports:

  • url - (Required) The full self_link URL of the network where this rule is active.

The collectorIlb block supports:

  • url - (Required) The URL of the forwarding rule.

The mirroredResources block supports:

  • subnetworks - (Optional) All instances in one of these subnetworks will be mirrored. Structure is documented below.

  • instances - (Optional) All the listed instances will be mirrored. Specify at most 50. Structure is documented below.

  • tags - (Optional) All instances with these tags will be mirrored.

The subnetworks block supports:

  • url - (Required) The URL of the subnetwork where this rule should be active.

The instances block supports:

  • url - (Required) The URL of the instances where this rule should be active.

  • description - (Optional) A human-readable description of the rule.

  • region - (Optional) The Region in which the created address should reside. If it is not provided, the provider region is used.

  • priority - (Optional) Since only one rule can be active at a time, priority is used to break ties in the case of two rules that apply to the same instances.

  • filter - (Optional) A filter for mirrored traffic. If unset, all traffic is mirrored. Structure is documented below.

  • project - (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

The filter block supports:

  • ipProtocols - (Optional) Possible IP protocols including tcp, udp, icmp and esp

  • cidrRanges - (Optional) IP CIDR ranges that apply as a filter on the source (ingress) or destination (egress) IP in the IP header. Only IPv4 is supported.

  • direction - (Optional) Direction of traffic to mirror. Default value is both. Possible values are ingress, egress, and both.

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

  • id - an identifier for the resource with format projects/{{project}}/regions/{{region}}/packetMirrorings/{{name}}

Timeouts

This resource provides the following Timeouts configuration options:

  • create - Default is 20 minutes.
  • update - Default is 20 minutes.
  • delete - Default is 20 minutes.

Import

PacketMirroring can be imported using any of these accepted formats:

$ terraform import google_compute_packet_mirroring.default projects/{{project}}/regions/{{region}}/packetMirrorings/{{name}}
$ terraform import google_compute_packet_mirroring.default {{project}}/{{region}}/{{name}}
$ terraform import google_compute_packet_mirroring.default {{region}}/{{name}}
$ terraform import google_compute_packet_mirroring.default {{name}}

User Project Overrides

This resource supports User Project Overrides.