Re: GKE packet mirroring to separate project

ciscoguru · 10-05-2023 12:25 PM

I'm new to GKE, but I've been a network/security person the bulk of my career. I'm trying to figure out how to get packet mirroring setup to grab traffic from my GKE project and send it to a separate project via VPC peer-link to an IDS running on a compute VM. The hang-up I seem to hit is with creating the internal load balancer. My understanding from trying to follow the documentation is that the ILB should sit in the GKE project to do the capture and then send over the peer-link. I can't find documentation on setting up the config as it relates to a GKE environment though. Any info anyone can provide would be a huge help.

VannGuce

I believe the resources that you mentioned are the right one to achieve this concern. Can you try this ConfigMap if this one will work to enable packet mirroring.

apiVersion: v1
kind: ConfigMap
metadata:
name: metadata-agent-config
namespace: kube-system
data:
packet-mirroring-config: '{"destinationIPRanges": ["<IDS_VM_INTERNAL_IP>"]}'

Replace <IDS_VM_INTERNAL_IP> with the internal IP address of the IDS VM.
Make sure that the firewall rules in GKE and IDS projects allow the necessary traffic.

hmouda1991f

Hi VannGuce.

Is there any documentation for the bellow configuration:

apiVersion: v1
kind: ConfigMap
metadata:
name: metadata-agent-config
namespace: kube-system
data:
packet-mirroring-config: '{"destinationIPRanges": ["<IDS_VM_INTERNAL_IP>"]}'

Thanks