Google Cloud Packet Mirroring

Google Cloud Packet Mirroring clones the traffic of selected instances in your Virtual Private Cloud (VPC) network and sends it for scrutiny. Packet mirroring collects all traffic and packet data, including payloads and headers. The capture can record exit and ingress traffic, ingress only, or egress only.

What is Google Cloud Packet Mirroring?

Google Cloud Packet Mirroring is important for monitoring and analyzing your security status. It exports all traffic, not just traffic between sampling intervals. For example, you can use security software that analyzes mirrored traffic to detect threats or anomalies. In addition, you can inspect the entire traffic flow to detect application performance issues. Mirroring occurs on individual virtual machine (VM) instances rather than over the network. As a result, Packet Mirroring requires additional bandwidth on the virtual machines. Packet Mirroring also works when collectors and mirrored sources are in different VPCs peering together, such as in a hub-and-spoke configuration. The same rules for mirroring traffic between VPCs apply.

How Does Google Cloud Packet Mirroring Work?

• Mirrored sources are Compute Engine VM instances that can be selected via subnets, network tags, or instance names.
• If you provide a subnet, all existing and future instances inside that network are mirrored. You can specify one or more source types; instances that match at least one are mirrored.
• Packet Mirroring captures traffic from an instance's network interface in the network where the packet mirroring policy is enforced.
• When an instance has several network interfaces, they are not mirrored unless another policy is configured to do so.
• A collector destination is an instance group located behind an internal load balancer.
• Collector instances are instances that belong to an instance group.

Implementation of Google Cloud Packet Mirroring

Step 1: Enable the Packet Mirroring API

To set up Packet Mirroring, build a packet mirroring policy that specifies the source and destination.

Step 2: Create a Packet Mirroring Policy

Next, you have to check for a Packet Mirroring policy.

gcloud compute packet-mirrorings create my-packet-mirroring \
    --network my-vpc-network \
    --collector-ilb my-forwarding-rule \
    --mirrored-subnets my-subnet \
    --region us-central1

Output:

Step 3: Install tcpdump

The very first step for installing tcpdump on a system is opening up a terminal window where input of the right command can be done. Tcpdump is a self-sufficient, solid, and very efficient tool for package analysis that offers the possibility to capture network traffic in real-time and, hence, look at the same.

$ sudo apt-get install tcpdump

Output:

Step 4: Set Up IAM Roles

In the next step you have to set up IAM Roles you need the following roles "roles/compute.packetMirroringAdmin".

$ sudo tail -F /var/log/suricat/fast.log

Output:

Step 5: Configure the Mirroring Source

Choose which source instances you want to mirror traffic from when mirroring sources then go to VPC network and click on packet mirroring to mirror traffic subnet1.

Step 6: Get Mirroring Source

You need to access the packer mirroring source to receive the pm-mirror-subnet1.

Step 7: Test Packet Mirroring

Lastly, You can use monitoring tools and log analysis to confirm that Packet Mirroring is functioning as intended. The following is an example command to see a collector instance's logs.

gcloud compute instances get-serial-port-output my-collector-instance --zone us-central1-a

Use Cases of Google Cloud Packet Mirroring

• Application performance monitoring: Network engineers can use mirrored traffic to troubleshoot performance issues identified by application and database teams. Instead of depending on application logs to detect networking faults, network engineers can see what's happening over the wire.
• Enterprise security: Security and network engineering teams have to ensure that they detect any anomalies and threats that could indicate a security breach or incursion. They mirror all traffic to conduct a thorough inspection of questionable flows. Because attacks might spread across numerous packets, security teams must be able to collect all packets for each flow.

Limitations of Google Cloud Packet Mirroring

• Packet Mirroring cannot reflect packets for Private Service Connect published services traffic.
• For security reasons, Packet Mirroring does not mirror packets sent to the link-local IP address range 169.254.0.0/16 as this range covers metadata requests sent from a virtual machine to its metadata server.
• Using a Google Kubernetes Engine (GKE) LoadBalancer Service as a packet mirroring collector is not permitted.
• If a packet mirroring policy applies to collector instances, Packet Mirroring disregards them and does not mirror their traffic.

Conclusion

In this article, we have learned about Google Cloud Packet Mirroring. Google Cloud Packet Mirroring is useful for monitoring and analyzing your security status. It exports all traffic, not just those between sample intervals.