Use a URL list to create policies

Stay organized with collections Save and categorize content based on your preferences.

This guide shows how to use URL lists to define URLs that your users can access.

Before you begin

  • Complete the initial setup steps.

  • Verify that you have the Google Cloud CLI version 406.0.0 or later installed:

    gcloud version | head -n1
    

    If you have an earlier gcloud CLI version installed, update the version:

    gcloud components update --version=406.0.0
    

Create a Cloud SWG gateway with an empty policy

  1. To create an empty Cloud SWG security policy, do the following:

    1. Use your preferred text editor to create a POLICY_FILE.yaml file. Replace POLICY_FILE with the filename that you want for the policy file.

    2. Add the following to the YAML file that you created:

      name: projects/PROJECT_NAME/locations/REGION/gatewaySecurityPolicies/POLICY_NAME
      description: POLICY_DESCRIPTION
      

      Replace the following:

      • PROJECT_NAME: the name of your project
      • REGION: the region that this policy applies to
      • POLICY_NAME: the name of the policy that you're creating
      • POLICY_DESCRIPTION: the description of the policy that you're creating
    3. Import the Cloud SWG gateway security policy:

      gcloud alpha network-security gateway-security-policies import POLICY_NAME \
         --source=POLICY_FILE.yaml \
         --location=REGION
      
  2. To create a Cloud SWG gateway, do the following:

    1. Use your preferred text editor to create a GATEWAY.yaml file:

      name: projects/PROJECT_NAME/locations/REGION/gateways/GATEWAY_NAME
      type: SECURE_WEB_GATEWAY
      ports: [GATEWAY_PORT_NUMBERS]
      certificateUrls: [CERTIFICATE_URLS]
      securityPolicy: projects/PROJECT_NAME/locations/REGION/gatewaySecurityPolicies/POLICY_NAME
      network: projects/PROJECT_NAME/global/networks/NETWORK_NAME
      subnetwork: projects/PROJECT_NAME/regions/REGION /subnetworks/SUBNET_NAME
      addresses: [GATEWAY_IP_ADDRESS]
      scope: samplescope
      

      Replace the following:

      • GATEWAY_NAME: the name for this gateway
      • GATEWAY_PORT_NUMBERS: a list of port numbers for this gateway such as [80,443]
      • CERTIFICATE_URLS: a list of SSL certificate URLs
      • SUBNET_NAME: the name of the subnet that contains GATEWAY_IP_ADDRESS

      • GATEWAY_IP_ADDRESS: an optional list of IP addresses for your Cloud SWG gateways within the proxy subnets previously created in the initial setup steps

        If you choose not to list gateway addresses, omit the field to have Cloud SWG choose an IP address for you.

    2. Create a Cloud SWG gateway:

      gcloud alpha network-services gateways import GATEWAY_NAME \
          --source=GATEWAY.yaml \
          --location=REGION
      
  3. To test connectivity, use the curl command from any VM within your Virtual Private Cloud (VPC) network:

    curl -x https://GATEWAY_IP_ADDRESS:PORT_NUMBER https://www.example.com
    

    A 403 Forbidden error is expected.

Create a URL list

  1. Use your preferred text editor to create a URL_LIST_FILE.yaml file. Replace URL_LIST_FILE with the filename that you want.

    name: projects/PROJECT_ID/locations/REGION/urlLists/URL_LIST_NAME
    values: URL_LIST
    

    Replace the following:

    • PROJECT_ID: your project number
    • REGION: the region this URL list applies to
    • URL_LIST_NAME: a name for the URL list that you're creating
    • URL_LIST: the list of hosts, URLs, or patterns to match

      For more information, see UrlList syntax reference.

    The following is an example URL list rule file:

    name: projects/PROJECT_ID/locations/REGION/urlLists/example-org-allowed-list
    values:
      - www.example.com
      - about.example.com
      - *.google.com
      - github.com/example-org/*
    
  2. Add the URL list so that it can be referenced by a Cloud SWG rule:

    gcloud alpha network-security url-lists import URL_LIST_NAME
      --location=REGION \
      --project=PROJECT_ID \
      --source=URL_LIST_FILE.yaml
    
  3. Use your preferred text editor to create a RULE_FILE.yaml file. Replace RULE_FILE with your desired filename.

    name: projects/PROJECT_ID/locations/REGION/gatewaySecurityPolicies/POLICY_NAME/rules/RULE_NAME
    basicProfile: ALLOW
    enabled: true
    priority: PRIORITY_VALUE
    description: RULE_DESCRIPTION
    sessionMatcher: SESSION_CEL_EXPRESSION
    applicationMatcher: APPLICATION_CEL_EXPRESSION
    

    Replace the following:

    • POLICY_NAME: the name of an existing GatewaySecurityPolicy used by your gateway
    • RULE_NAME: a name for the GatewaySecurityPolicyRule that you're creating
    • PRIORITY_VALUE: a priority value for this rule; lower numbers correspond to higher priorities
    • RULE_DESCRIPTION: a description for the policy that you're creating
    • SESSION_CEL_EXPRESSION: a Common Expression Language (CEL) expression for the session

      For more information, see CEL matcher language reference.

    • APPLICATION_CEL_EXPRESSION: a Common Expression Language (CEL) expression for the application

    The following is an example rule file:

    name: projects/PROJECT_ID/locations/REGION/urlLists/allow-repos
    basicProfile: ALLOW
    enabled: true
    priority: 100
    description: Allow access to our list of known code repos.
    sessionMatcher: "inUrlList(host(), 'projects/PROJECT_ID/locations/REGION/urlLists/URL_LIST_NAME')"
    

  4. Add a Cloud SWG rule by using the URL list that you previously created:

    gcloud alpha network-security gateway-security-policies rules import RULE_NAME
      --location=REGION \
      --project=PROJECT_ID \
      --source=RULE_FILE.yaml \
      --parent=POLICY_NAME
    

Test connectivity

Do the following:

curl -x https://SWG_IP_ADDRESS:SWG_PORT_NUMBER HTTP_TEST_ADDRESS

Replace the following:

  • SWG_IP_ADDRESS: the IP address to your Cloud SWG instance

  • SWG_PORT_NUMBER: the port number for your Cloud SWG instance, such as 443

  • HTTP_TEST_ADDRESS: an address to test, such as https://www.example.com that matches a host or URL entry in your URL_LIST

The request should return a successful response.

What's next