How to setup Astra Traffic Monitoring with GCP Mirroring

Last updated: June 11, 2026

Introduction

GCP supports packet mirroring for instances running in a VPC. This guide walks you through configuring GCP packet mirroring to capture API traffic and forward it to Astra for observability.

Architecture

GCP packet mirroring copies traffic from source instances and sends it to a collector via an internal load balancer. The mirrored traffic is then processed by Astra Packet Processor to create API traces

Requirements

  • Source instance, target backend, and load balancer must all belong to the same VPC.

  • All mirrored sources must be in the same GCP project, VPC network, and region.

  • Health checks must be enabled on the target backend.

  • Firewall rules must allow mirrored traffic to reach the collector.

What's Not Supported

  • You cannot mirror and collect traffic on the same network interface of a VM instance, as this causes a mirroring loop.

  • For other limitations, refer to the official GCP Packet Mirroring documentation.

Assumptions

  • Source instances already exist in your infrastructure and are generating traffic.

  • All instances (source and target) are in the same VPC and region.

Setup Steps

If you already have target instances, skip this step and proceed to the next one.

Step 1: Create Target Compute Instances

Skip this step if target instances already exist.

  1. Navigate to VM instances and click Create Instance.

  2. Create a target VM with the following configuration:

    • Name: target-instance

    • Machine Type: e2-standard or equivalent

    • Image: Debian 11 or another suitable image

  3. Under Networking, select the VPC network and subnet that match the source instance.

  4. Repeat the above to create target-instance-2.

Step 2: Create a Health Check

Health checks confirm that target instances are available and functioning.

  1. Navigate to Health Checks and click Create Health Check.

  2. Configure with the following:

    • Name: my-healthcheck

    • Protocol: TCP

    • Port: 80

  3. Save the health check.

Step 3: Create an Instance Group

  1. Navigate to Instance Groups and click Create Instance Group.

  2. Configure with the following:

    • Name: target-instance-group

    • Add target-instance and target-instance-2 to the group.

Step 4: Create a Backend Service

The backend service routes traffic to the VM instances in your instance group.

  1. Go to Google Cloud Console, then Network Services, then Load Balancing, then Backend Services.

  2. Create a new backend service with:

    • Name: my-service

    • Load Balancing Scheme: Internal

    • Protocol: TCP

  3. Add the health check my-healthcheck created in Step 2.

  4. Under Backends, click Add Backend, choose Instance Group, and select target-instance-group.

  5. Leave other settings as default and save.

Step 5: Create a Forwarding Rule

A forwarding rule directs traffic to your backend service.

  1. From the Load Balancing page, click the Frontend Configuration tab.

  2. Create a forwarding rule with:

    • Name: my-ilb

    • Load Balancing Scheme: Internal

    • Network: my-network

    • Subnetwork: my-subnetwork

    • Protocol: TCP

  3. Check Enable Mirroring Collector.

  4. Select the backend service my-service created in Step 4.

  5. Save the forwarding rule.

Step 6: Create Firewall Rules

Avoid using 0.0.0.0/0 unless absolutely necessary (e.g., for public-facing applications), always specify your trusted source IP or network range, allow mirrored traffic to target-backend)

  1. Create Rules

  • Rule for SSH ( allow-ssh)

  • Name: allow-ssh

  • Network: my-network

  • Under Allow, set:

    • Protocol: TCP

    • Ports: 22

  • Source IP Ranges: Your trusted source (or 0.0.0.0/0 to allow all IPs).

  • Rule for HTTP ( allow-http)

  • Name: allow-http

  • Network: my-network

  • Under Allow, set:

    • Protocol: TCP

    • Ports: 80

  • Source IP Ranges: Your trusted source (or 0.0.0.0/0 to allow all IPs).

  • Rule for Return Traffic ( allow-return-traffic)

  • Name: allow-return-traffic

  • Network: my-network

  • Under Allow, set:

    • Protocol: TCP

    • Ports: 1024-65535

  • Source IP Ranges: Your trusted source (or 0.0.0.0/0 to allow all IPs).

Step 7: Create Packet Mirroring

Packet mirroring is used to copy traffic from the source instance and send it to the collector (the internal load balancer). This ensures traffic is distributed to both target instances for further analysis.

  1. Navigate to Packet Mirroring:

    • Go to Network SecurityPacket MirroringCreate Policy.

  2. Configure the policy:

    • Name: my-mirroring

    • Description: Add an optional description.

  3. Collector:

    • Select the forwarding rule ( my-ilb) created earlier.

  4. Mirrored Resources:

    • Subnetworks: Add my-subnetwork.

    • Instances: Add source-instance.

  5. Set Filters:

    • IP Protocol: TCP

    • CIDR Range: 0.0.0.0/0 (mirror all traffic).

    • Direction: BOTH (ingress and egress).

      Why BOTH?

      Captures the full context of a network interaction (requests and responses).

  6. Save the packet mirroring policy.

Troubleshooting

Mirrored traffic is not appearing in Astra. Astra Packet Processor must be installed and running to process mirrored traffic and generate API traces. If you have not set it up yet, see: How to Set Up Astra Packet Processor for Cloud Mirroring.

I want to know the cost of GCP Packet Mirroring. Refer to the GCP pricing page at https://cloud.google.com/vpc/pricing and search for "packet mirror".