How to setup Astra Traffic Monitoring with GCP Mirroring

Last updated: August 14, 2025

Overview

GCP supports packet mirroring for the instances running in a VPC. Read this article to understand how GCP packet mirroring can be used for API observability

Architecture

What's not supported

Assumptions

  • The source instances already exist in your infra and generate traffic.

  • All instances (source and target) are in the same VPC and region

Requirements

  • The source instance, target backend, and load balancer must belong to the same VPC.

  • All mirrored sources must be in the same project, VPC network, and Google Cloud region

  • Health checks must be enabled on the target backend.

  • Firewall rules must allow mirrored traffic to the collector.

Quick Installation: Mirroring Configuration

Step 1: Create Target Compute Instances

If you already have target instances, skip this step and proceed to the next one.

  1. Navigate to VM instancesCreate Instance.

  2. Create a target VM instance:

    • Name: target-instance

    • Machine Type: Select a machine type, such as e2-standard .

    • Image: Debian 11 (or another suitable image).

  3. Under the Networking section:

    • Select the VPC network that the source instance is part of.

    • If necessary, choose the subnet that matches the source instance's subnet.

  4. Repeat these steps for target-instance-2.

Step 2: Create a Health Check

The health check periodically probes the instances to confirm they are available and functioning as expected.

Navigate to Health ChecksCreate Health Check. 2. Set the following:

  • Name: my-healthcheck

  • Protocol: TCP

  • Port: 80

  1. Save the health check.

Step 3: Create an Instance Group

  1. Navigate to Instance GroupsCreate Instance Group.

  2. Configure the instance group:

    • Name: target-instance-group

    • Add the target-instance and target-instance-2 instances to the group.

Step 4: Create a Backend Service

The backend service ensures that traffic is routed appropriately to the VM instances in your instance group. This is critical to ensure that only healthy instances serve incoming requests.

  1. Navigate to Load Balancing:

    • Go to Google Cloud Console.

    • Click on Network ServicesLoad BalancingBackend Services.

  2. Create a new backend service:

    • Name: my-service

    • Load Balancing Scheme: Internal

    • Protocol: TCP

  3. Add a health check:

    • Select the existing health check ( my-healthcheck) created in Step 2.

  4. Add a backend:

    • Under Backends, click Add Backend.

    • Choose Instance Group and select the target-instance-group created earlier.

    • Leave other settings as default.

  5. Save the backend service.

Step 5: Create a Forwarding Rule

A forwarding rule determines how traffic is directed to your backend service. It specifies the IP address, port, and protocol (e.g., TCP or UDP) that the load balancer listens to.

  1. Navigate to Load Balancing Frontend Configuration:

    • From the Load Balancing page, click on the Frontend Configuration tab.

  2. Create a forwarding rule:

    • Name: my-ilb

    • Load Balancing Scheme: Internal

    • Network: my-network

    • Subnetwork: my-subnetwork

    • Protocol: TCP

    • Check Enable Mirroring Collector to use the forwarding rule for packet mirroring.

    • Select the backend service ( my-service) created earlier.

  3. Save the forwarding rule.

Step 6: Create Firewall Rules

Avoid using 0.0.0.0/0 unless absolutely necessary (e.g., for public-facing applications), always specify your trusted source IP or network range, allow mirrored traffic to target-backend)

  1. Create Rules

  • Rule for SSH ( allow-ssh)

  • Name: allow-ssh

  • Network: my-network

  • Under Allow, set:

    • Protocol: TCP

    • Ports: 22

  • Source IP Ranges: Your trusted source (or 0.0.0.0/0 to allow all IPs).

  • Rule for HTTP ( allow-http)

  • Name: allow-http

  • Network: my-network

  • Under Allow, set:

    • Protocol: TCP

    • Ports: 80

  • Source IP Ranges: Your trusted source (or 0.0.0.0/0 to allow all IPs).

  • Rule for Return Traffic ( allow-return-traffic)

  • Name: allow-return-traffic

  • Network: my-network

  • Under Allow, set:

    • Protocol: TCP

    • Ports: 1024-65535

  • Source IP Ranges: Your trusted source (or 0.0.0.0/0 to allow all IPs).

Step 7: Create Packet Mirroring

Packet mirroring is used to copy traffic from the source instance and send it to the collector (the internal load balancer). This ensures traffic is distributed to both target instances for further analysis.

  1. Navigate to Packet Mirroring:

    • Go to Network SecurityPacket MirroringCreate Policy.

  2. Configure the policy:

    • Name: my-mirroring

    • Description: Add an optional description.

  3. Collector:

    • Select the forwarding rule ( my-ilb) created earlier.

  4. Mirrored Resources:

    • Subnetworks: Add my-subnetwork.

    • Instances: Add source-instance.

  5. Set Filters:

    • IP Protocol: TCP

    • CIDR Range: 0.0.0.0/0 (mirror all traffic).

    • Direction: BOTH (ingress and egress).

      Why BOTH?

      Captures the full context of a network interaction (requests and responses).

  6. Save the packet mirroring policy.

What next? Setup Astra Packet Processor

Astra Packet Processor needs to be installed to process the mirrored traffic and create API traces

📄 How to setup Astra Packet Processor for Cloud Mirroring

FAQ

What is the pricing for GCP Packet mirroring

Refer to this article and search for "packet mirror"