This guide describes the known limitations of Cloud SWG.
Regional HTTP(S) load balancer limitation
Regional internal and external HTTP(S) load balancers can't be provisioned in the same network and region as Cloud SWG.
Cloud NAT limitations
Each Cloud SWG instance requires a Cloud NAT gateway that is enabled only for the Cloud SWG endpoints in that region. The first Cloud SWG provisioned in a Virtual Private Cloud (VPC) network region also provisions a Cloud NAT gateway. The Cloud NAT gateway enables egress for all Cloud SWG gateways in that virtual network and region.
Regional and network limitations on identities
Service account and secure tag identity information is accessible only from VMs within the same region and network as the provisioned Cloud SWG instance. Client identity information is also not accessible across VPC Network Peering, even within the same project.
Only IPv4 is supported
Cloud SWG only supports IPv4. IPv6 is not supported.
Internal IP addresses are regional
Cloud SWG allocates virtual IP addresses within a region. The virtual IP addresses are reachable only in the region that they are assigned. Also, Cloud SWG gateways are provisioned in a region within a VPC network. As a result, IPv4 addresses must be allocated from within a subnet of the region that the Cloud SWG gateway is located in.
The following describes how Cloud SWG allocates IP addresses:
- If an unreserved IP address is specified during provisioning, then that IP address is used.
- If an IP address isn't specified but a subnet and network are specified, then an IP address is automatically allocated within the specified subnet.
- If an IP address, subnet, and network aren't specified, then an IP address is automatically allocated within the default subnet of the default network.
IP provisioning fails if none of the preceding items are met.
The IP addresses allocated by Cloud SWG are virtual IPs and are assigned to a group of proxies distributed across multiple cells within a region. Cloud SWG acts as an explicit proxy server, which requires clients to have connectivity to the virtual IP address to pass egress HTTP(S) traffic. Clients that have connectivity to the virtual IP address can access Cloud SWG through the following methods:
- VPC Network Peering
- Shared VPC
- On-premises by using Cloud VPN or Cloud Interconnect
TLS encrypted traffic and HTTPS
Security policies have reduced access to request attributes for traffic encrypted with TLS between the client and the destination. This encryption is distinct from the optional TLS between the client and Cloud SWG proxy.
Source information and destination host are available. However, path, HTTP
method, and headers are not. As a result, using the
request attributes in a
implies matching on HTTP traffic but not on HTTPS traffic.