Set up intrusion detection and prevention service in your network

Intrusion detection and prevention servicemonitors your Google Cloud workload traffic for any malicious activity andtakes preemptive actions to prevent it. To enable this service on your network,you must set up multiple Cloud Next Generation Firewall components. This tutorial describesthe end-to-end workflow to configure intrusion detection and prevention service in your network.

Objectives

This tutorial shows you how to complete the following tasks:

  • Create a Virtual Private Cloud (VPC) network with two subnets.
  • Create a server virtual machine (VM) instance in the first subnet of theVPC network and install the Apache server on the VM.
  • Create a client VM instance in the second subnet of the VPCnetwork.
  • Create a security profile and a security profile group.
  • Create a firewall endpoint and associate it with the VPCnetwork.
  • Add a global network firewall policy with the following firewall rules:
    • A firewall rule to enable Identity-Aware Proxy (IAP) access to the VMinstances in the VPC network.
    • A firewall rule to direct all ingress traffic for Layer 7 inspection.
  • Verify whether malicious traffic to the server VM instance is blocked.
  • Clean up the resources.

The following diagram shows the high-level architecture of the deployment setupin this tutorial. The firewall policyfw-policy-ips on VPCvpc-ips, redirects the ingress traffic to the firewall endpoint in zoneasia-southeast1-a. The firewall endpointendpoint-ips inspects the trafficfor any threats. If any threat is detected, it applies the preventive actions byusing the directions specified in the security profilesec-profile-ips.

Intrusion prevention and detection service in a custom VPC network to identify and prevent any threats.
Intrusion detection and prevention service in a custom VPC network (click to enlarge).

Costs

There is a cost associated with creating the firewall endpoints. For pricingdetails, seeCloud Next Generation Firewall pricing.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.
    Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.
    Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

    Go to project selector

  5. Verify that billing is enabled for your Google Cloud project.

  6. Enable theCompute Engine API for your project.
  7. Enable theNetwork Security API for your project.
  8. Enable theIdentity-Aware Proxy API for your project.
  9. Have theCompute Network Admin (roles/compute.networkAdmin) IAM role on your organization.
  10. If you prefer to work from the command line, install the Google Cloud CLI.For conceptual and installation information about the tool, seegcloud CLI overview.

    Note: If you haven't run the gcloud CLI previously, firstrungcloud init to initializeyour gcloud CLI directory.

Create a custom VPC network with subnets

In this section, you create a custom mode VPC network with twoIPv4 subnets.

Console

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. ClickCreate VPC network.

  3. ForName, entervpc-ips.

  4. ForDescription, enterVPC network to set up intrusion detection and prevention service.

  5. ForSubnet creation mode, selectCustom.

  6. In theNew subnet section, specify the following configuration parameters for a subnet:

    • Name:subnet-ips-server
    • Region:asia-southeast1
    • IPv4 range:10.0.0.0/24

  7. ClickDone.

  8. ClickAdd subnet and specify the following configuration parameters:

    • Name:subnet-ips-client
    • Region:us-central1
    • IPv4 range:192.168.10.0/24

  9. ClickDone.

  10. ClickCreate.

gcloud

  1. To create a VPC network, run the following command:

    gcloud compute networks create vpc-ips \  --subnet-mode custom \  --description "VPC network to set up intrusion detection and prevention service."

  2. In theAuthorize cloud shell dialog, clickAuthorize.

  3. To create a subnet, run the following command:

    gcloud compute networks subnets create subnet-ips-server \  --network vpc-ips \  --region asia-southeast1 \  --range 10.0.0.0/24

  4. To create another subnet, run the following command:

    gcloud compute networks subnets create subnet-ips-client \  --network vpc-ips \  --region us-central1 \  --range 192.168.10.0/24

Create a Cloud Router and a Cloud NAT gateway

Before you create client and server Linux VM instances without public IPv4 addresses inthe next section, you must create a Cloud Router and a Cloud NAT gateway,which enables these VMs to access the public internet.

Console

  1. In the Google Cloud console, go to theCloud NAT page.

    Go to Cloud NAT

  2. ClickGet started orCreate Cloud NAT gateway.

  3. ForGateway name, entergateway-ips.

  4. ForNAT type, selectPublic.

  5. In theSelect Cloud Router section, specify the following configuration parameters:

    • Network:vpc-ips
    • Region:asia-southeast1
    • Cloud Router:Create new router.
      1. ForName, enterrouter-ips.
      2. ClickCreate.

  6. ClickCreate.

gcloud

  1. To create a Cloud Router, run the following command:

    gcloud compute routers create router-ips \  --network=vpc-ips \  --region=asia-southeast1

  2. To create a Cloud NAT gateway, run the following command:

    gcloud compute routers nats create gateway-ips \  --router=router-ips \  --region=asia-southeast1 \  --auto-allocate-nat-external-ips \  --nat-all-subnet-ip-ranges

Create VM instances

In this section, you create server and client VM instances.

Create the server VM instance

In this section, you create a VM instance in the subnetsubnet-ips-server andinstall the Apache server on it.

Console

  1. In the Google Cloud console, go to theCreate an instance page.

    Go to Create an instance

  2. In theMachine configuration pane, do the following:

    1. ForName, entervm-server-ips.
    2. ForRegion, selectasia-southeast1 (Singapore).
    3. ForZone, selectasia-southeast1-a.

  3. In the navigation menu, clickOS and Storage.

    In theOperating system and storage section, verify thatImage isDebian GNU/Linux 12 (bookworm). If it isn't, clickChange and set theOperating system field toDebian and theVersion field toDebian GNU/Linux 12 (bookworm).

  4. In the navigation menu, clickNetworking.

    1. In theNetwork interfaces section, clickdefault andspecify the following configuration parameters:
      • Network:vpc-ips
      • Subnetwork:subnet-ips-server IPv4 (10.0.0.0/24)
      • External IPv4 address:None
    2. ClickDone.

  5. In the navigation menu, clickAdvanced and enter the following script in theStartup script field:

    #! /bin/bashaptupdateapt-yinstallapache2cat<<EOF >/var/www/html/index.html<html><body><p>Helloworld.</p></body></html>EOF

  6. ClickCreate.

  7. Make a note of theExternal IP address of the server VM after it is created.

gcloud

To create the server VM, run the following command:

gcloud compute instances create vm-server-ips \    --network vpc-ips \    --zone asia-southeast1-a \    --subnet subnet-ips-server \    --stack-type IPV4_ONLY \    --image-project debian-cloud \    --image-family debian-11 \    --metadata=startup-script='#! /bin/bash     apt update     apt -y install apache2     cat <<EOF > /var/www/html/index.html     <html><body><p>Hello World.</p></body></html>     EOF'

Make a note of the external IP address of the VM in the returned status.

Create the client VM instance

In this section, you create a VM instance in the subnetsubnet-ips-client.

Console

  1. In the Google Cloud console, go to theCreate an instance page.

    Go to Create an instance

  2. In theMachine configuration pane, do the following:

    1. ForName, entervm-client-ips.
    2. ForRegion, selectus-central1 (Iowa).
    3. ForZone, selectus-central1-a.

  3. In the navigation menu, clickNetworking.

    1. In theNetwork interfaces section, clickdefault andspecify the following configuration parameters:
      • Network:vpc-ips
      • Subnetwork:subnet-ips-client IPv4 (192.168.10.0/24)
    2. ClickDone.

  4. ClickCreate.

gcloud

To create the client VM, run the following command:

gcloud compute instances create vm-client-ips \    --network vpc-ips \    --zone us-central1-a \    --subnet subnet-ips-client \    --stack-type IPV4_ONLY

Create a security profile

In this section, you create a security profile of typethreat-prevention inyour organization. To view the permissions required to create a securityprofile, seeCreate a threat prevention security profile.

Console

  1. In the Google Cloud console, go to theSecurity profiles page.

    Go to Security profiles

  2. In the project selector menu, select your organization.

  3. Select theSecurity profiles tab.

  4. ClickCreate profile.

  5. ForName, entersec-profile-ips.

  6. ForDescription, enterSecurity profile to set up intrusion detection and prevention service.

  7. ClickContinue.

  8. ClickCreate.

gcloud

To create a security profile, run the following command:

gcloud network-security security-profiles \    threat-prevention \    create sec-profile-ips \    --organizationORGANIZATION_ID \    --location global \    --projectPROJECT_ID \    --description "Security profile to set up intrusion detection and prevention service."

Replace the following:

  • ORGANIZATION_ID: the organization where the security profile is created.
  • PROJECT_ID: a project ID to use for quotas and access restrictions on the security profile.

Create a security profile group

In this section, you create a security profile group to include the securityprofile that you created in the preceding section. To view the permissionsrequired to create a security profile group,seePermissions required for this task.

Console

  1. In the Google Cloud console, go to theSecurity profiles page.

    Go to Security profiles

  2. In the project selector menu, select your organization.

  3. Select theSecurity profile groups tab.

  4. ClickCreate profile group.

  5. ForName, entersec-profile-group-ips.

  6. ForDescription, enterSecurity profile group to set up intrusion detection and prevention service.

  7. In theThreat prevention profile list, selectsec-profile-ips.

  8. ClickCreate.

gcloud

To create a security profile group, run the following command:

gcloud network-security security-profile-groups \    create sec-profile-group-ips \    --organizationORGANIZATION_ID \    --location global \    --projectPROJECT_ID \    --threat-prevention-profile  \    organizations/ORGANIZATION_ID/locations/global/securityProfiles/sec-profile-ips \    --description "Security profile group to set up intrusion detection and prevention service."

Replace the following:

  • ORGANIZATION_ID: the organization where the security profile group is created.
  • PROJECT_ID: a project ID to use for quotas and access restrictions on the security profile group.

Create a firewall endpoint

In this section you create a firewall endpoint in a specific zone. To view thepermissions required to create a firewall endpoint,seePermissions required for this task.

Note: When you create a firewall endpoint, the state ofthe firewall endpoint is set toCreating. After the firewall endpoint isready, the state changes toActive.

Console

  1. In the Google Cloud console, go to theFirewall endpoints page.

    Go to Firewall endpoints

  2. In the project selector menu, select your organization.

  3. ClickCreate.

  4. In theRegion list, selectasia-southeast1 (Singapore).

  5. In theZone list, selectasia-southeast1-a.

  6. ForName, enterendpoint-ips.

  7. ClickCreate.

gcloud

To create a firewall endpoint, run the following command:

gcloud network-security firewall-endpoints \    create endpoint-ips \    --organizationORGANIZATION_ID \    --zone asia-southeast1-a \    --billing-projectPROJECT_ID

Replace the following:

  • ORGANIZATION_ID: the organization where the firewall endpoint is created.
  • PROJECT_ID: a project ID to use for the billing of the firewall endpoint.

Create a firewall endpoint association

In this section, you associate the firewall endpoint to the VPCnetwork that you created in the preceding step.

Console

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. Click thevpc-ips network to show itsVPC network details page.

  3. Select theFirewall endpoint tab.

  4. ClickAdd endpoint association.

  5. In theRegion list, selectasia-southeast1.

  6. In theZone list, selectasia-southeast1-a.

  7. In theFirewall endpoint list, selectendpoint-ips.

  8. ClickCreate.

gcloud

To create a firewall endpoint association, run the following command:

gcloud network-security firewall-endpoint-associations \    create endpoint-association-ips \    --endpoint  organizations/ORGANIZATION_ID/locations/asia-southeast1-a/firewallEndpoints/endpoint-ips \    --network vpc-ips \    --zone asia-southeast1-a \    --projectPROJECT_ID

Replace the following:

  • ORGANIZATION_ID: the organization where the firewall endpoint is created.
  • PROJECT_ID: a project ID where the association is created.

Create a global network firewall policy

In this section, you create a global network firewall policy that contains thefollowing two firewall rules:

  1. An ingress firewall rule with priority100 to allow TCP traffic to ports3389 and22. This rule enables IAP access to the VMinstances in the VPC network.
  2. An ingress firewall rule with priority200 to perform Layer 7 inspection onthe incoming traffic to the server VM in a specific zone.

Console

  1. In the Google Cloud console, go to theFirewall policies page.

    Go to Firewall policies

  2. In the project selector list, select your project within your organization.

  3. ClickCreate firewall policy.

  4. ForName, enterfw-policy-ips.

  5. ForDeployment scope, selectGlobal.

  6. ClickContinue, and then clickAdd rule.

  7. In thePriority field, enter100.

  8. ForLogs, selectOn.

  9. ForDirection of traffic, selectIngress.

  10. ForAction on match, selectAllow.

  11. For theSource filter, selectIPv4, and then in theIP rangefield enter35.235.240.0/20.

  12. In theProtocols and ports section, selectSpecified protocols and ports.

  13. SelectTCP, and forPorts, enter22,3389.

  14. ClickCreate.

  15. ClickAdd rule.

  16. In thePriority field, enter200.

  17. ForLogs, selectOn.

  18. ForDirection of traffic, selectIngress.

  19. ForAction on match, selectApply security profile group.

  20. In theSecurity profile group list, selectsec-profile-group-ips.

  21. In theDestination filter, selectIPv4, and then in theIP rangefield enter the external IP address of the server VMthat you created in theCreate the server VM instancessection.

  22. ClickCreate.

  23. ClickContinue.

  24. ClickAssociate policy with VPC networks.

  25. Selectvpc-ips network.

  26. ClickAssociate.

  27. ClickCreate.

gcloud

  1. To create a global network firewall policy, run the following command:

    gcloud compute network-firewall-policies \  create fw-policy-ips \  --global \  --projectPROJECT_ID

    Replace the following:

    • PROJECT_ID: a project ID where the global networkfirewall policy is created.

  2. To add the firewall rule to enable IAP access, run the following command:

    gcloud compute network-firewall-policies rules create 100 \  --firewall-policy fw-policy-ips \  --direction INGRESS \  --action ALLOW \  --src-ip-ranges 35.235.240.0/20 \  --layer4-configs tcp:22, tcp:3389 \  --global-firewall-policy \  --enable-logging

  3. To add the firewall rule to enable Layer 7 inspection for threat preventionand detection, run the following command:

    gcloud compute network-firewall-policies rules create 200 \  --direction INGRESS \  --firewall-policy fw-policy-ips \  --action apply_security_profile_group \  --dest-ip-rangesSERVER_VM_IP \  --layer4-configs tcp:0-65535 \  --global-firewall-policy \  --security-profile-group \  //networksecurity.googleapis.com/organizations/ORGANIZATION_ID \  /locations/global/securityProfileGroups/sec-profile-group-ips \  --enable-logging

    Replace the following:

    • SERVER_VM_IP: the external IP address of theserver VM that you created in theCreate the server VM instances section.

    • ORGANIZATION_ID: the organization where the secureprofile group is created.

  4. To associate the firewall policy with the VPC network, run thefollowing command:

    gcloud compute network-firewall-policies associations create \ --firewall-policy fw-policy-ips \ --network vpc-ips \ --name fw-pol-association-ips \ --global-firewall-policy \ --projectPROJECT_ID

    Replace the following:

    • PROJECT_ID: the project ID where theVPC association is created.

Test the setup

In this section, you test the setup by generating traffic that isintercepted by the endpoint, and the global network firewall policy is appliedto perform Layer 7 inspection.

Console

  1. In the Google Cloud console, go to theVM instances page.

    Go to VM instances

  2. From theExternal IP column of thevm-server-ips VM, copy theexternal IP address of the VM.

  3. In theConnect column of thevm-client-ips VM, clickSSH.

  4. In theSSH-in-browser dialog, clickAuthorize and wait for theconnection to establish.

  5. To verify whether a non-threat request isn't blocked, run the followingcommand:

    curlEXTERNAL_IP -m 2

    ReplaceEXTERNAL_IP with the external IP of thevm-server-ips VM.

    The expected response message is as follows:

    <!doctype html><html><body><h1>Hello World!</h1></body></html>

  6. To verify that a malicious request is blocked, run the following command.This command sends a request to access the password file, which isforbidden.

    curl -m 2EXTERNAL_IP:80/cgi-bin/../../../../bin/cat%20/etc/passwd/

    ReplaceEXTERNAL_IP with the external IP ofvm-server-ips VM.

    AConnection timed out message is expected because the firewall endpointdetects the threat in the request and blocks the packet.

  7. Close theSSH-in-browser dialog.

gcloud

  1. To connect to thevm-client-ips VM, run the following command:

    gcloud compute ssh vm-client-ips \   --zone=us-central1-a \   --tunnel-through-iap

    When prompted, pressY to confirm, and then pressEnter.

    Note: While the SSH to thevm-client-ips VM is connected, ignore any warning messages that you see.

  2. To verify whether a non-threat request isn't blocked, run the following command:

    curlEXTERNAL_IP -m 2

    ReplaceEXTERNAL_IP with the external IP of thevm-server-ips VM.

    The expected response message is as follows:

    <!doctype html><html><body><h1>Hello World!</h1></body></html>

  3. To verify that a malicious request is blocked, run the following command:

    curl -m 2EXTERNAL_IP:80/cgi-bin/../../../../bin/cat%20/etc/passwd/

    ReplaceEXTERNAL_IP with the external IP of thevm-server-ips VM.

    AConnection timed out message is expected because the firewall endpointdetects the threat in the request and blocks the packet.

  4. To close theSSH-in-browser, enterexit.

View the threat logs

  1. In the Google Cloud console, go to theThreats page.

    Go to Threats

  2. If necessary, select your Google Cloud project.

  3. In theThreat section, you can see the logs entry for the threatdetected on yourvpc-ips network.

Clean up

To avoid incurring charges to your Google Cloud account for the resourcesused in this tutorial, either delete the project that contains the resources,or keep the project and delete the individual resources.

In this section, you delete the resources created in this tutorial.

Delete the firewall endpoint association

Console

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VPC networks

  2. Click thevpc-ips network to show itsVPC network details page.

  3. Select theFirewall endpoint tab. The tab shows a list of configuredfirewall endpoint associations.

  4. Select the checkbox next toendpoint-ips, and then clickDelete.

  5. ClickDelete again to confirm.

gcloud

To delete the firewall endpoint association, run the following command:

gcloud network-security firewall-endpoint-association \    delete endpoint-ips \    --zone asia-southeast1-a

Delete the firewall endpoint

Console

  1. In the Google Cloud console, go to theFirewall endpoints page.

    Go to Firewall endpoints

  2. Selectendpoint-ips, and then clickDelete.

  3. ClickDelete again to confirm.

gcloud

To delete the firewall endpoint, run the following commands:

gcloud network-security firewall-endpoints delete endpoint-ips \    --organizationORGANIZATION_ID \    --zone asia-southeast1-a

Replace the following:

  • ORGANIZATION_ID: the organization where the endpoint is created.

Delete the global network firewall endpoint policy

Console

  1. In the Google Cloud console, go to theFirewall policies page.

    Go to Firewall policies

  2. In the project selector menu, select your project that contains the policy.

  3. Clickfw-policy-ips.

  4. Click theAssociations tab.

  5. Select all associations.

  6. ClickRemove Associations.

  7. After all associations are removed, clickDelete.

gcloud

  1. To remove the association between firewall policy and VPCnetwork, run the following command:

    gcloud compute network-firewall-policies associations delete \  --name fw-pol-association-ips \  --firewall-policy fw-policy-ips \  --global-firewall-policy
    Note: If you set up the association between the firewall policy and the VPC network through Google Cloud console, don't use the gcloud CLI command to remove the association. If you can't remember how you created the association or get theThe network firewall policy does not have an association with pol-association-fw-rules error when you run the command, use the Google Cloud console to remove the association.

  2. Delete the firewall policy.

    gcloud compute network-firewall-policies delete fw-policy-ips --global

    When prompted, pressY to confirm, and then pressEnter.

Delete the security profile group

Console

  1. In the Google Cloud console, go to theSecurity profiles page.

    Go to Security profiles

  2. Select theSecurity profile groups tab.

  3. Selectsec-profile-group-ips, and then clickDelete.

  4. ClickDelete again to confirm.

gcloud

To delete the security profile group, run the following command:

gcloud network-security security-profile-groups \    delete sec-profile-group-ips \    --organizationORGANIZATION_ID \    --location global

Replace the following:

  • ORGANIZATION_ID: the organization where the securityprofile group is created.

Delete the security profile

Console

  1. In the Google Cloud console, go to theSecurity profiles page.

    Go to Security profiles

  2. Select theSecurity profiles tab. The tab shows a list of configuredsecurity profiles.

  3. Selectsec-profile-ips, and then clickDelete.

  4. ClickDelete again to confirm.

gcloud

To delete the security profile, run the following command:

gcloud network-security security-profiles threat-prevention \    delete sec-profile-ips \    --organizationORGANIZATION_ID \    --location global

Replace the following:

  • ORGANIZATION_ID: the organization where the securityprofile is created.

Delete the VMs

Console

  1. In the Google Cloud console, go to theVM instances page.

    Go to VM instances

  2. Select the checkboxes of both thevm-client-ips andvm-server-ips VMs.

  3. ClickDelete.

  4. In theDelete 2 instances? dialog, clickDelete.

gcloud

  1. To delete thevm-client-ips VM, run the following command:

    gcloud compute instances delete vm-client-ips \  --zone us-central1-a

    When prompted, pressY to confirm, and then pressEnter.

  2. To delete thevm-server-ips VM, run the following command:

    gcloud compute instances delete vm-server-ips \  --zone asia-southeast1-a

    When prompted, pressY to confirm, and then pressEnter.

Delete the VPC network and its subnets

Console

  1. In the Google Cloud console, go to theVPC networks page.

    Go to VM instances

  2. In theName column, clickvpc-ips.

  3. ClickDelete VPC network.

  4. In theDelete a network dialog, clickDelete.

When you delete a VPC, its subnets are also deleted.

gcloud

  1. To delete the subnetsubnet-ips-client of thevpc-ips VPC network,run the following command:

    gcloud compute networks subnets delete subnet-ips-client \    --region us-central1

    When prompted, pressY to confirm, and then pressEnter.

  2. To delete the subnetsubnet-ips-server of thevpc-ips VPC network,run the following command:

    gcloud compute networks subnets delete subnet-ips-server \    --region=asia-southeast1

    When prompted, pressY to confirm, and then pressEnter.

  3. To delete thevpc-ips VPC network, run the following command:

    gcloud compute networks delete vpc-ips

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-16 UTC.