Cloud SWG overview

Stay organized with collections Save and categorize content based on your preferences.

Cloud SWG is a cloud first service that provides a secure web gateway that helps you secure egress web traffic (HTTP/S). You configure your clients to explicitly use Cloud SWG as a proxy. The web requests can originate from the following sources:

  • Virtual machine (VM) instances
  • Containers
  • A serverless environment that uses a serverless connector
  • Workloads outside of Google Cloud connected by Cloud VPN or Cloud Interconnect

Cloud SWG enables flexible and granular policies based on cloud first identities and web applications.

Solutions that Cloud SWG supports

Cloud SWG supports the following solutions.

Migration to Google Cloud

Cloud SWG helps you migrate to Google Cloud while keeping your existing security policies and requirements for egress web traffic. You can avoid using third-party solutions that require using another management console or manually editing configuration files.

Access to trusted external web services

Cloud SWG lets you apply granular access policies to your egress web traffic so that you can secure your network. You create and identify workload or application identities, and then apply policies to web locations.

Monitored access to untrusted web services

You can use Cloud SWG to provide monitored access to untrusted web services. Cloud SWG identifies traffic that doesn't conform to policy and logs it to Cloud Logging (Logging). You can then monitor internet usage, discover threats to your network, and respond to threats.

Cloud SWG benefits

Cloud SWG provides the following benefits.

Operational time savings

Cloud SWG doesn't have VMs to set up and configure, doesn't require software updates to maintain security, and offers elastic scaling. After initial policy configuration, a regional Cloud SWG instance works out of the box. Cloud SWG provides tools to simplify setup, testing, and deployment so that you can focus on other tasks.

Flexible deployment

Cloud SWG supports simple and flexible deployments. Cloud SWG instances, Cloud SWG policies, and URL lists are all modular objects that can be created or reused by distinct administrators. For example, you can deploy multiple Cloud SWG instances that all use the same Cloud SWG policy.

Improved security

Default Cloud SWG configurations and policies are deny-all by default. Furthermore, Google Cloud automatically updates Cloud SWG software and infrastructure, reducing the risk of a security vulnerability.

Supported features

Cloud SWG supports the following features:

  • Explicit proxy service: Clients are explicitly configured to use the proxy server. The Cloud SWG proxy isolates clients from the internet by creating new TCP connections on the client's behalf.

  • Autoscaling Cloud SWG Envoy proxies: Supports automatically adjusting the Envoy proxy pool size and the pool's capacity in a region, which enables consistent performance during high-demand periods at the lowest cost.

  • Modular egress access policies: Cloud SWG specifically supports the following egress policies:

    • Source-identity based on secure tags, service accounts, or IP addresses.
    • Destinations based on URLs, hostnames.
    • Requests based on methods, headers, or URLs. URLs can be specified by using lists, wildcards, or patterns.
  • End-to-end encryption: Client-proxy tunnels might transit over TLS. Cloud SWG also supports HTTP/S CONNECT for client-initiated, end-to-end TLS connections to the destination server.

  • Simplified Cloud NAT integration: Cloud NAT automatically provisions additional public IP addresses when the set of proxies that serve Cloud SWG traffic increases.

  • Cloud Audit Logs and Google Cloud's operations suite integration: Cloud Audit Logs and Google Cloud's operations suite record administrative activities and access requests for Cloud SWG-related resources. They also record metrics and transaction logs for requests handled by the proxy.

Additional Google Cloud tools to consider

Google Cloud provides the following tools for your Google Cloud deployments:

  • Use Google Cloud Armor to protect Google Cloud deployments from multiple threats, including distributed denial-of-service (DDoS) attacks and application attacks like cross-site scripting (XSS) and SQL injection (SQLi).

  • Specify VPC firewall rules to secure connections to or from your VM instances.

  • Implement VPC Service Controls to prevent data exfiltration from Google Cloud services, such as Cloud Storage and BigQuery.

  • Use Cloud NAT to enable unsecured outbound internet connectivity for certain Google Cloud resources without an external IP address.

Sign up to use Cloud SWG

Ready to use Cloud SWG? To sign up, contact your sales representative.