Stay organized with collections
Save and categorize content based on your preferences.
Security profiles help you define the behavior of the Network Security Integration
service on your network traffic. They are generic policy structures that
are used to identify the endpoint group associated with the
Virtual Private Cloud (VPC) network. A security profile in a mirroring rule
uses the mirroring endpoint groups as the target of the selected traffic.
This document provides a detailed overview of security profiles and their
capabilities.
Specifications
A security profile is an organizational level resource.
Network Security Integration supports security profiles of type CUSTOM_MIRRORING.
Each security profile is uniquely identified by a URL with
the following elements:
Organization ID: ID of the organization.
Location: scope of the security profile. Location is always
set to global.
Name: security profile name in the following format:
A string 1-63 characters long
Includes only lowercase alphanumeric characters or hyphens (-)
Must start with a letter
To construct a unique URL identifier for a security profile,
use the following format:
After you create a security profile, you have the option to attach it to a
security profile group.
This security profile group is referenced by the
network firewall policy of the VPC network where you want
to process your network traffic within Network Security Integration.
Traffic that matches the network firewall policy rule is sent to the
endpoint group
referenced by the security profile.
Each security profile must have an associated project ID. The associated
project is used for quotas and access restrictions on security profile
resources. If you authenticate your service account by using the
gcloud auth activate-service-account command,
you can associate your service account with the security profile.
To learn more about how to create a security profile,
see Create and manage custom security profiles.
Identity and Access Management roles
Identity and Access Management (IAM) roles govern the following security profiles actions:
Creating a custom security profile in an organization
Modifying or deleting a custom security profile
Viewing details of a custom security profile
Viewing a list of custom security profiles in an organization
Using a custom security profile in a security profile group
The following table describes the roles that are necessary for each step.
Ability
Necessary role
Create a custom security profile
Security Profile Admin role (networksecurity.securityProfileAdmin)
on the organization where the custom security profile is created.
Modify a custom security profile
Security Profile Admin role (networksecurity.securityProfileAdmin)
on the organization where the custom security profile is created.
View details about the custom security profile in an organization
If you don't have the
Security Profile Admin role (roles/networksecurity.securityProfileAdmin),
you can create and manage custom security profile with the
following permissions:
networksecurity.securityProfiles.create
networksecurity.securityProfiles.delete
networksecurity.securityProfiles.get
networksecurity.securityProfiles.list
networksecurity.securityProfiles.update
networksecurity.securityProfiles.use
For more information about the IAM permissions and the
predefined roles, see
IAM permissions reference.
Quotas
To view quotas associated with custom security profiles, see
Quotas and limits.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Security profiles overview\n\nSecurity profiles help you define the behavior of the Network Security Integration\nservice on your network traffic. They are generic policy structures that\nare used to identify the endpoint group associated with the\nVirtual Private Cloud (VPC) network. A security profile in a mirroring rule\nuses the mirroring endpoint groups as the target of the selected traffic.\n\nThis document provides a detailed overview of security profiles and their\ncapabilities.\n\nSpecifications\n--------------\n\n- A security profile is an organizational level resource.\n\n- Network Security Integration supports security profiles of type `CUSTOM_MIRRORING`.\n\n- Each security profile is uniquely identified by a URL with\n the following elements:\n\n - **Organization ID**: ID of the organization.\n - **Location** : scope of the security profile. Location is always set to `global`.\n - **Name** : security profile name in the following format:\n - A string 1-63 characters long\n - Includes only lowercase alphanumeric characters or hyphens (-)\n - Must start with a letter\n- To construct a unique URL identifier for a security profile,\n use the following format:\n\n organization/\u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e/securityProfiles/\u003cvar translate=\"no\"\u003eSECURITY_PROFILE_NAME\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e: ID of the organization.\n\n - \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: scope of the security profile.\n Location is always set to `global`.\n\n - \u003cvar translate=\"no\"\u003eSECURITY_PROFILE_NAME\u003c/var\u003e: the name of the security\n profile.\n\n For example, a `global` security profile `example-security-profile`\n in organization `2345678432` has the following unique identifier: \n\n organization/2345678432/locations/global/securityProfiles/example-security-profile\n\n- After you create a security profile, you have the option to attach it to a\n [security profile group](/network-security-integration/docs/security-profile-groups-overview).\n This security profile group is referenced by the\n network firewall policy of the VPC network where you want\n to process your network traffic within Network Security Integration.\n\n- Traffic that matches the network firewall policy rule is sent to the\n [endpoint group](/network-security-integration/docs/endpoint-groups-overview)\n referenced by the security profile.\n\n- Each security profile must have an associated project ID. The associated\n project is used for quotas and access restrictions on security profile\n resources. If you authenticate your service account by using the\n [`gcloud auth activate-service-account` command](/sdk/gcloud/reference/auth/activate-service-account),\n you can associate your service account with the security profile.\n To learn more about how to create a security profile,\n see [Create and manage custom security profiles](/network-security-integration/docs/out-of-band/configure-custom-security-profiles).\n\nIdentity and Access Management roles\n------------------------------------\n\nIdentity and Access Management (IAM) roles govern the following security profiles actions:\n\n- Creating a custom security profile in an organization\n- Modifying or deleting a custom security profile\n- Viewing details of a custom security profile\n- Viewing a list of custom security profiles in an organization\n- Using a custom security profile in a security profile group\n\nThe following table describes the roles that are necessary for each step.\n\nIf you don't have the\n[Security Profile Admin role](/iam/docs/understanding-roles#networksecurity.securityProfileAdmin) (`roles/networksecurity.securityProfileAdmin`),\nyou can create and manage custom security profile with the\nfollowing permissions:\n\n- `networksecurity.securityProfiles.create`\n- `networksecurity.securityProfiles.delete`\n- `networksecurity.securityProfiles.get`\n- `networksecurity.securityProfiles.list`\n- `networksecurity.securityProfiles.update`\n- `networksecurity.securityProfiles.use`\n\nFor more information about the IAM permissions and the\npredefined roles, see\n[IAM permissions reference](/iam/docs/permissions-reference).\n\nQuotas\n------\n\nTo view quotas associated with custom security profiles, see\n[Quotas and limits](/network-security-integration/docs/quotas).\n\nWhat's next\n-----------\n\n- [Create and manage security profile groups](/network-security-integration/docs/configure-security-profile-groups)\n- [Create and manage custom mirroring security profiles](/network-security-integration/docs/out-of-band/configure-custom-security-profiles)"]]
