Initial setup steps

Stay organized with collections Save and categorize content based on your preferences.

This document describes the initial setup steps required to use Cloud SWG.

Before you can use Cloud SWG, complete the following setup:

  • Obtain necessary Identity and Access Management roles.
  • Create or select a Google Cloud project.
  • Enable billing and relevant Google Cloud APIs.
  • Create proxy subnets.
  • Upload an SSL certificate to Certificate Manager.

This setup is only required the first time you use Cloud SWG.

Obtain IAM roles

To obtain permissions, follow these steps:

  1. To get the permissions that you need to provision a Cloud SWG gateway instance, ask your administrator to grant you the following IAM roles on your project:

    • To configure policies and provision a Cloud SWG gateway instance: Compute Network Admin role (roles/compute.networkAdmin)
    • To upload explicit Cloud SWG TLS certificates: Certificate Manager Editor role (roles.certificatemanager.editor)

    For more information about granting roles, see Manage access.

  2. Optional: If you have a set of users responsible for ongoing policy management, grant them the Security Policy Admin role (roles/compute.orgSecurityPolicyAdmin) to let them manage security policies.

Create a Google Cloud project

To create or select a Google Cloud project, follow these steps:

Console

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Cloud Shell

  • Create a Google Cloud project:

      gcloud projects create PROJECT_ID
    

    Replace PROJECT_ID with the project ID that you want.

  • Select the Cloud project that you created:

      gcloud config set project PROJECT_ID
    

Enable billing and APIs

To enable billing and relevant Google Cloud APIs, follow these steps:

  1. Make sure that billing is enabled for your Google Cloud project. Learn how to verify the billing status of your projects.

  2. Enable the Compute Engine API.

    Enable the API

  3. Contact your sales representative to allowlist your project for Cloud SWG.

Create a proxy subnet

Create a proxy subnet for each region that you deploy Cloud SWG in. Create a subnet size of at least /26, or 64 proxy-only addresses. We recommend a subnet size of /23, or 512 proxy-only addresses, because Cloud SWG connectivity is provided by a pool of IP addresses reserved for Cloud SWG. This pool is used to allocate unique IP addresses on the egress side of each proxy for interaction with Cloud NAT and destinations in the VPC network.

gcloud

 gcloud compute networks subnets create PROXY_NAME \
    --purpose=REGIONAL_MANAGED_PROXY \
    --role=ACTIVE \
    --region=REGION \
    --network=NETWORK_NAME \
    --range=IP_RANGE

Replace the following:

  • PROXY_NAME: the name that you want for your proxy
  • REGION: the region to deploy the proxy subnet in
  • NETWORK_NAME: your network name
  • IP_RANGE: the subnet range, such as 192.168.0.0/23

Cloud SWG can't be provisioned in the same region as an internal HTTP(S) load balancer or a regional external HTTP(S) load balancer.

Create and upload an SSL certificate

  1. To create an SSL certificate:

    openssl req -x509 -newkey rsa:2048 \
      -keyout KEY_PATH \
      -out CERTIFICATE_PATH -days 365 \
      -subj '/CN=SWG_HOST_NAME' -nodes -addext \
      "subjectAltName = DNS:SWG_HOST_NAME"
    

    Replace the following:

    • KEY_PATH: the path to save the key, such as ~/key.pem
    • CERTIFICATE_PATH: the path to save the certificate, such as ~/cert.pem
    • SWG_HOST_NAME: the hostname for your Cloud SWG instance, such as myswg.example.com
  2. To upload the SSL certificate to Certificate Manager:

    gcloud certificate-manager certificates create CERTIFICATE_NAME \
       --certificate-file=CERTIFICATE_FILE_PATH \
       --private-key-file=KEY_FILE_PATH \
       --location=REGION
    

    Replace the following:

    • CERTIFICATE_NAME: the name of your certificate
    • CERTIFICATE_FILE_PATH: the path to the certificate file
    • KEY_FILE_PATH: the path to the key file

    For more information about SSL certificates, see SSL certificates overview.

What's next