Whether you choose to deploy Secure Web Proxy using the explicit proxy mode or as a Private Service Connect service attachment, note the following additional considerations.
Allocate an internal IP address for Secure Web Proxy
Secure Web Proxy allocates only regional virtual IP addresses. These IP addresses are available only in the assigned region. Secure Web Proxy instances are provisioned in a region within a Virtual Private Cloud (VPC) network.
Assign an internal IP address to the Secure Web Proxy instance in one of the following ways:
- Specify the address in the Address field while provisioning the Secure Web Proxy instance.
- If no address is specified, Secure Web Proxy automatically allocates one IP address from the subnet you provide while provisioning.
- If address and subnet are not specified, Secure Web Proxy automatically allocates an address from the default network within the chosen VPC network.
Configure identity-based policy enforcement for Secure Web Proxy
Secure Web Proxy uses cloud-native identity information for policy enforcement when virtual machine (VM) instances within the same VPC initiate connections. When you configure Secure Web Proxy as a service attachment across VPC networks, the following identity types are supported for policy enforcement:
- Service accounts: Non-human accounts used for service access must be authenticated and authorized to connect to Secure Web Proxy.
- Secure tags: These key-value pairs, scoped to specific VPC networks, can be attached to various entities like organizations, folders, or projects. Secure Web Proxy policies can use secure tags marked with the GCE_FIREWALL purpose, retrieving them using their permanent ID (for example, tagValues/567890123456).
Configure Cloud NAT for Secure Web Proxy
Use Cloud NAT configurations for Secure Web Proxy deployments.
Standard configuration
- Secure Web Proxy infrastructure utilizes a pool of autoscaling proxies.
- Each proxy uses one or more public IPv4 addresses obtained from Cloud NAT.
- Cloud NAT automatically scales and assigns additional public IP addresses as the number of proxy instances serving Secure Web Proxy traffic changes.
This dynamic solution allows seamless traffic bursts without the need for manual infrastructure adjustments.
Custom IP address allocation
While auto scaling Cloud NAT is the standard, certain scenarios can require assigning a specific set of public IP addresses to Secure Web Proxy.
If specific IP addresses are shared with vendors for firewall allow policies, assigning a custom range helps ensure continued access. You can modify the provisioned Cloud NAT gateway and specify a range of public IP addresses.