Assign static IP addresses for egress traffic

Stay organized with collections Save and categorize content based on your preferences.

This document shows you how to assign your own enterprise IP addresses, or static Google Cloud IP addresses, that Cloud SWG uses for egress traffic.

Before you begin

  • Complete the initial setup steps.

  • Ensure that you have a list of static IPv4 addresses reserved to use for Cloud SWG. If you want to reserve IP addresses in Google Cloud, see the gcloud compute addresses create command to create an address resource.

  • Verify that you have the Google Cloud CLI version 406.0.0 or later installed:

    gcloud version | head -n1
    

    If you have an earlier gcloud CLI version installed, update the version:

    gcloud components update --version=406.0.0
    

Enable static IP addresses for Cloud SWG

Do the following:

  1. Identify the Cloud Router name assigned during Cloud SWG provisioning:

    gcloud compute routers list \
      --regions REGION_NAME \
      --filter="network:(NETWORK_NAME) AND name:(swg-autogen-router-*)" \
      --format="get(name)"
    

    Replace the following:

    • REGION_NAME: the region that the Cloud Router is deployed for Cloud SWG
    • NETWORK_NAME: the name of your VPC network

    The output is similar to the following:

    swg-autogen-router-1
    
  2. List the external auto-provisioned IP addresses assigned during Cloud SWG provisioning:

    gcloud compute routers get-status ROUTER_NAME  \
      --region=REGION
    

    The output is similar to the following:

    kind: compute#routerStatusResponse
    result:
      natStatus:
      - autoAllocatedNatIps:
        - 34.144.80.46
        - 34.144.83.75
        - 34.144.88.111
        - 34.144.94.113
        minExtraNatIpsNeeded: 0
        name: swg-autogen-nat
        numVmEndpointsWithNatMappings: 3
      network: https://www.googleapis.com/compute/beta/projects/PROJECT_NAME/global/networks/NETWORK_NAME
    
  3. Update the Cloud NAT gateway to use your predefined IP range:

    gcloud compute routers nats update swg-autogen-nat  \
        --router=ROUTER_NAME \
        --nat-external-ip-pool=IPv4_ADDRESSES... \
        --region=REGION
    

    Replace IPv4_ADDRESSES with the external IPv4 addresses that you intend to use, separated by a comma (,).

    The fixed set of IP addresses assigned by Cloud SWG can't be autoscaled. When you provide a list of external IP addresses for Cloud NAT, ensure that enough IP addresses are assigned to process the traffic by Cloud SWG. We recommend a minimum of five IP addresses.

    If you expect a significant traffic volume, such as greater than 10k queries per second, we recommend that you start with an auto-assigned configuration and maximum utilization workload. In this case, you can monitor the autoscaled IP address count as a reference for manually configuring your egress IP addresses.

  4. Verify that your IP range is assigned to the Cloud NAT gateway:

    gcloud compute routers nats describe swg-autogen-nat \
      --router=ROUTER_NAME  \
      --region=REGION
    

    The output is similar to the following:

    enableEndpointIndependentMapping: false
    icmpIdleTimeoutSec: 30
    logConfig:
      enable: false
      filter: ALL
    name: swg-autogen-nat
    natIpAllocateOption: MANUAL_ONLY
    natIps:
    - https://www.googleapis.com/compute/beta/projects/PROJECT_NAME/regions/REGION/addresses/ADDRESS
    sourceSubnetworkIpRangesToNat: ALL_SUBNETWORKS_ALL_IP_RANGES
    

What's next?