GCP Packet Mirroring Setup

Architecture

What's not supported

You cannot mirror and collect traffic on the same network interface of a VM instance because doing this would cause a mirroring loop.
Refer to official GCP Docs for more queries related to gcp packet mirroring support.

Assumptions

The source instances already exist in your infra and generate traffic.
All instances (source and target) are in the same VPC and region

Requirements

The source instance, target backend, and load balancer must belong to the same VPC.
All mirrored sources must be in the same project, VPC network, and Google Cloud region
Health checks must be enabled on the target backend.
Firewall rules must allow mirrored traffic to the collector.

Step 1: Create Target Compute Instances

If you already have target instances, skip this step and proceed to the next one.

Navigate to VM instances → Create Instance.
Create a target VM instance:
- Name: target-instance
- Machine Type: Select a machine type, such as e2-standard .
- Image: Debian 11 (or another suitable image).
Under the Networking section:
- Select the VPC network that the source instance is part of.
- If necessary, choose the subnet that matches the source instance's subnet.
Repeat these steps for target-instance-2.

Step 2: Create a Health Check

The health check periodically probes the instances to confirm they are available and functioning as expected. || ror and collect traffic on the same network interface of a VM instance because doing this would cause a mirroring loop.

Navigate to Health Checks → Create Health Check.
Set the following:
- Name: my-healthcheck
- Protocol: TCP
- Port: 80
Save the health check.

Step 3: Create an Instance Group

Navigate to Instance Groups → Create Instance Group.
Configure the instance group:
- Name: target-instance-group
- Add the target-instance and target-instance-2 instances to the group.

Step 4: Create a Backend Service

The backend service ensures that traffic is routed appropriately to the VM instances in your instance group. This is critical to ensure that only healthy instances serve incoming requests.

Navigate to Load Balancing:
- Go to Google Cloud Console.
- Click on Network Services → Load Balancing → Backend Services.
Create a new backend service:
- Name: my-service
- Load Balancing Scheme: Internal
- Protocol: TCP
Add a health check:
- Select the existing health check ( my-healthcheck) created in Step 2.
Add a backend:
- Under Backends, click Add Backend.
- Choose Instance Group and select the target-instance-group created earlier.
- Leave other settings as default.
Save the backend service.

Step 5: Create a Forwarding Rule

A forwarding rule determines how traffic is directed to your backend service. It specifies the IP address, port, and protocol (e.g., TCP or UDP) that the load balancer listens to.

Navigate to Load Balancing Frontend Configuration:
- From the Load Balancing page, click on the Frontend Configuration tab.
Create a forwarding rule:
- Name: my-ilb
- Load Balancing Scheme: Internal
- Network: my-network
- Subnetwork: my-subnetwork
- Protocol: TCP
- Check Enable Mirroring Collector to use the forwarding rule for packet mirroring.
- Select the backend service ( my-service) created earlier.
Save the forwarding rule.

Step 6: Create Firewall Rules

Best Practice

Avoid using 0.0.0.0/0 unless absolutely necessary (e.g., for public-facing applications), always specify your trusted source IP or network range, allow mirrored traffic to target-backend)

Create rules:

Rule for SSH ( allow-ssh)
- Name: allow-ssh
- Network: my-network
- Under Allow, set:
- Protocol: TCP
- Ports: 22
- Source IP Ranges: Your trusted source (or 0.0.0.0/0 to allow all IPs).

Rule for HTTP ( allow-http)
- Name: allow-http
- Network: my-network
- Under Allow, set:
- Protocol: TCP
- Ports: 80
- Source IP Ranges: Your trusted source (or 0.0.0.0/0 to allow all IPs).

Rule for Return Traffic ( allow-return-traffic)
- Name: allow-return-traffic
- Network: my-network
- Under Allow, set:
- Protocol: TCP
- Ports: 1024-65535
- Source IP Ranges: Your trusted source (or 0.0.0.0/0 to allow all IPs).

Step 7: Create Packet Mirroring

Packet mirroring is used to copy traffic from the source instance and send it to the collector (the internal load balancer). This ensures traffic is distributed to both target instances for further analysis.

Navigate to Packet Mirroring:
- Go to Network Security → Packet Mirroring → Create Policy.
Configure the policy:
- Name: my-mirroring
- Description: Add an optional description.
Collector:
- Select the forwarding rule ( my-ilb) created earlier.

Mirrored Resources:
- Subnetworks: Add my-subnetwork.
- Instances: Add source-instance.

Set Filters:
- IP Protocol: TCP
- CIDR Range: 0.0.0.0/0 (mirror all traffic).
- Direction: BOTH (ingress and egress).

Why BOTH?

Captures the full context of a network interaction (requests and responses).

Save the packet mirroring policy.

What next? Setup Astra Packet Processor

- Click here for setting up Astra Packet Processor using Ansible or manually using Docker Compose

Updated on: 07/01/2025