Skip to content

existing_consumer.md

Latest commit

 

History

History
68 lines (50 loc) · 2.53 KB

existing_consumer.md

File metadata and controls

68 lines (50 loc) · 2.53 KB

Connect an Existing Consumer Environment

If you already have a consumer environment you wish to secure, you can manually connect it to your producer environment using the gcloud CLI.

Depending on your architecture, follow the steps for either an Intercept Deployment (inline inspection) or a Mirroring Deployment (out-of-band inspection).

Prerequisites: Set Environment Variables

Before running the commands, define the variables for your environment. You will need the output value generated by the producer deployment (INTERCEPT_DEPLOYMENT_GROUP or MIRRORING_DEPLOYMENT_GROUP).

export CONSUMER_PROJECT="your-consumer-project-id"
export CONSUMER_VPC="your-consumer-vpc-name"
export PRODUCER_DG="projects/your-producer-project/locations/global/interceptDeploymentGroups/panw-dg"

Option A: Intercept Deployment

Create an intercept endpoint group and associate it with the producer's intercept deployment group. Then, connect the endpoint group to your consumer VPC.

  1. Create the intercept endpoint group (panw-epg) referencing the producer's deployment group.

    gcloud network-security intercept-endpoint-groups create panw-epg \
    --intercept-deployment-group $PRODUCER_DG \
    --project $CONSUMER_PROJECT \
    --location global \
    --no-async

  2. Associate the intercept endpoint group with your consumer VPC network.

    gcloud network-security intercept-endpoint-group-associations create panw-epg-assoc \
    --intercept-endpoint-group panw-epg \
    --network $CONSUMER_VPC \
    --project $CONSUMER_PROJECT \
    --location global \
    --no-async

Option B: Mirroring Deployment

Create a mirroring endpoint group and associate it with the producer's mirroring deployment group. Then, connect the endpoint group to your consumer VPC.

  1. Create the mirroring endpoint group (panw-epg) referencing the producer's deployment group.

    gcloud network-security mirroring-endpoint-groups create panw-epg \
    --mirroring-deployment-group $PRODUCER_DG \
    --project $CONSUMER_PROJECT \
    --location global \
    --no-async

  2. Associate the mirroring endpoint group with your consumer VPC network.

    gcloud network-security mirroring-endpoint-group-associations create panw-epg-assoc \
    --mirroring-endpoint-group panw-epg \
    --network $CONSUMER_VPC \
    --project $CONSUMER_PROJECT \
    --location global \
    --no-async