This guide describes the known limitations of Secure Web Proxy.
Cloud NAT limitations
Each Secure Web Proxy instance requires a Cloud NAT gateway that is enabled only for the Secure Web Proxy endpoints in that region. The first Secure Web Proxy provisioned in a Virtual Private Cloud (VPC) network region also provisions a Cloud NAT gateway. The Cloud NAT gateway enables egress for all Secure Web Proxy instances in that virtual network and region.
Network limitations on identities
Client identity information is not accessible across any VPC or project boundaries.
Only IPv4 is supported
Secure Web Proxy only supports IPv4. IPv6 is not supported.
Internal IP addresses are regional
Secure Web Proxy allocates virtual IP addresses within a region. The virtual IP addresses are reachable only in the region that they are assigned. Also, Secure Web Proxy instances are provisioned in a region within a VPC network. As a result, IPv4 addresses must be allocated from within a subnet of the region that the Secure Web Proxy instance is located in.
The following describes how Secure Web Proxy allocates IP addresses:
- If an unreserved IP address is specified during provisioning, then that IP address is used.
- If an IP address isn't specified but a subnet and network are specified, then an IP address is automatically allocated within the specified subnet.
- If an IP address, subnet, and network aren't specified, then an IP address is automatically allocated within the default subnet of the default network.
IP provisioning fails if none of the preceding items are met.
The IP addresses allocated by Secure Web Proxy are virtual IPs and are assigned to a group of proxies distributed across multiple cells within a region. Secure Web Proxy acts as an explicit proxy server, which requires clients to have connectivity to the virtual IP address to pass egress HTTP(S) traffic. Clients that have connectivity to the virtual IP address can access Secure Web Proxy through the following methods:
- VPC Network Peering
- Shared VPC
- On-premises by using Cloud VPN or Cloud Interconnect
TLS encrypted traffic and HTTPS
Security policies have reduced access to request attributes for traffic encrypted with TLS between the client and the destination. This encryption is distinct from the optional TLS between the client and Secure Web Proxy.
Source information and destination host are available. However, path, HTTP
method, and headers are not. As a result, using the request attributes in a
GatewaySecurityPolicyRule
ApplicationMatcher implicitly
implies matching on HTTP traffic but not on HTTPS traffic.
Supported HTTP versions
HTTP versions 0.9, 1.0, 1.1, and 2.0 are supported. HTTP 3 is not supported.