TLS Inspection Policy

Docs > DDSQL Reference > Data Directory > TLS Inspection Policy

A TLS Inspection Policy in Google Cloud defines how encrypted traffic is inspected by security services such as firewalls or load balancers. It manages the decryption and re-encryption of TLS traffic, allowing security tools to analyze data while maintaining privacy and compliance. This policy specifies certificates, keys, and inspection rules to ensure secure handling of encrypted connections.

gcp.networksecurity_tls_inspection_policy

Fields

ID	Type	Data Type	Description
_key	core	string
ancestors	core	array<string>
ca_pool	core	string	Required. A CA pool resource used to issue interception certificates. The CA pool string has a relative resource path following the form "projects/{project}/locations/{location}/caPools/{ca_pool}".
create_time	core	timestamp	Output only. The timestamp when the resource was created.
custom_tls_features	core	array<string>	Optional. List of custom TLS cipher suites selected. This field is valid only if the selected tls_feature_profile is CUSTOM. The compute.SslPoliciesService.ListAvailableFeatures method returns the set of features that can be specified in this list. Note that Secure Web Proxy does not yet honor this field.
datadog_display_name	core	string
description	core	string	Optional. Free-text description of the resource.
exclude_public_ca_set	core	bool	Optional. If FALSE (the default), use our default set of public CAs in addition to any CAs specified in trust_config. These public CAs are currently based on the Mozilla Root Program and are subject to change over time. If TRUE, do not accept our default set of public CAs. Only CAs specified in trust_config will be accepted. This defaults to FALSE (use public CAs in addition to trust_config) for backwards compatibility, but trusting public root CAs is not recommended unless the traffic in question is outbound to public web servers. When possible, prefer setting this to "false" and explicitly specifying trusted CAs and certificates in a TrustConfig. Note that Secure Web Proxy does not yet honor this field.
labels	core	array<string>
min_tls_version	core	string	Optional. Minimum TLS version that the firewall should use when negotiating connections with both clients and servers. If this is not set, then the default value is to allow the broadest set of clients and servers (TLS 1.0 or higher). Setting this to more restrictive values may improve security, but may also prevent the firewall from connecting to some clients or servers. Note that Secure Web Proxy does not yet honor this field.
name	core	string	Required. Name of the resource. Name is of the form projects/{project}/locations/{location}/tlsInspectionPolicies/{tls_inspection_policy} tls_inspection_policy should match the pattern:(^[a-z]([a-z0-9-]{0,61}[a-z0-9])?$).
organization_id	core	string
parent	core	string
project_id	core	string
project_number	core	string
region_id	core	string
resource_name	core	string
tags	core	hstore_csv
tls_feature_profile	core	string	Optional. The selected Profile. If this is not set, then the default value is to allow the broadest set of clients and servers ("PROFILE_COMPATIBLE"). Setting this to more restrictive values may improve security, but may also prevent the TLS inspection proxy from connecting to some clients or servers. Note that Secure Web Proxy does not yet honor this field.
trust_config	core	string	Optional. A TrustConfig resource used when making a connection to the TLS server. This is a relative resource path following the form "projects/{project}/locations/{location}/trustConfigs/{trust_config}". This is necessary to intercept TLS connections to servers with certificates signed by a private CA or self-signed certificates. Note that Secure Web Proxy does not yet honor this field.
update_time	core	timestamp	Output only. The timestamp when the resource was updated.
zone_id	core	string