This document shows you how to assign your own enterprise IP addresses, or static Google Cloud IP addresses, that Secure Web Proxy uses for egress traffic.
Before you begin
Complete the initial setup steps.
Ensure that you have a list of static IPv4 addresses reserved to use for Secure Web Proxy. If you want to reserve IP addresses in Google Cloud, see the
gcloud compute addresses createcommand to create an address resource.Verify that you have the Google Cloud CLI version 406.0.0 or later installed:
gcloud version | head -n1If you have an earlier gcloud CLI version installed, update the version:
gcloud components update --version=406.0.0
Enable static IP addresses for Secure Web Proxy
Do the following:
Identify the Cloud Router name assigned during Secure Web Proxy provisioning:
gcloud compute routers list \ --region REGION \ --filter="network:(NETWORK_NAME) AND name:(swg-autogen-router-*)" \ --format="get(name)"Replace the following:
REGION: the region that the Cloud Router is deployed for Secure Web ProxyNETWORK_NAME: the name of your VPC network
The output is similar to the following:
swg-autogen-router-1List the external automatically provisioned IP addresses assigned during Secure Web Proxy provisioning:
gcloud compute routers get-status ROUTER_NAME \ --region=REGIONThe output is similar to the following:
kind: compute#routerStatusResponse result: natStatus: - autoAllocatedNatIps: - 34.144.80.46 - 34.144.83.75 - 34.144.88.111 - 34.144.94.113 minExtraNatIpsNeeded: 0 name: swg-autogen-nat numVmEndpointsWithNatMappings: 3 network: https://www.googleapis.com/compute/projects/PROJECT_NAME/global/networks/NETWORK_NAMEUpdate the Cloud NAT gateway to use your predefined IP range:
gcloud compute routers nats update swg-autogen-nat \ --router=ROUTER_NAME \ --nat-external-ip-pool=IPv4_ADDRESSES... \ --region=REGIONReplace
IPv4_ADDRESSESwith the name of the external IPv4 address resource that you intend to use, separated by a comma (,).Verify that your IP range is assigned to the Cloud NAT gateway:
gcloud compute routers nats describe swg-autogen-nat \ --router=ROUTER_NAME \ --region=REGIONThe output is similar to the following:
enableEndpointIndependentMapping: false icmpIdleTimeoutSec: 30 logConfig: enable: false filter: ALL name: swg-autogen-nat natIpAllocateOption: MANUAL_ONLY natIps: - https://www.googleapis.com/compute/projects/PROJECT_NAME/regions/REGION/addresses/ADDRESS sourceSubnetworkIpRangesToNat: ALL_SUBNETWORKS_ALL_IP_RANGESUpdate the Cloud NAT gateway to use Dynamic Port Allocation (DPA) mode. DPA mode allows Secure Web Proxy to fully use the assigned IP addresses.
gcloud compute routers nats update swg-autogen-nat \ --router=ROUTER_NAME \ --min-ports-per-vm=2048 \ --max-ports-per-vm=4096 \ --enable-dynamic-port-allocation \ --region=REGIONFor
--min-ports-per-vmand--max-ports-per-vmflags, we recommend that you use values2048and4096, respectively.Use Metrics Explorer to monitor metrics data for the following and adjust DPA minimum and maximum values as needed:
Cloud NAT Gateway - Port usageCloud NAT Gateway - New connection countCloud NAT Gateway - Open connections
Verify that your DPA is enabled and the minimum and maximum port values are set:
gcloud compute routers nats describe swg-autogen-nat \ --router=ROUTER_NAME \ --region=REGIONThe output is similar to the following:
enableDynamicPortAllocation: true enableEndpointIndependentMapping: false endpointTypes: - ENDPOINT_TYPE_SWG logConfig: enable: true filter: ERRORS_ONLY maxPortsPerVm: 4096 minPortsPerVm: 2048 name: swg-autogen-nat natIpAllocateOption: MANUAL_ONLY natIps: - https://www.googleapis.com/compute/projects/PROJECT_NAME/regions/REGION/addresses/ADDRESS sourceSubnetworkIpRangesToNat: ALL_SUBNETWORKS_ALL_IP_RANGES type: PUBLIC