By default, SecureWebProxy
instances have a RoutingMode
value of
EXPLICIT_ROUTING_MODE
, which means that you must configure your workloads to
explicitly send HTTP(S) traffic to Secure Web Proxy. Instead of
configuring individual clients to point to your Secure Web Proxy instance, you
can set your Secure Web Proxy instance's RoutingMode
to
NEXT_HOP_ROUTING_MODE
, which lets you define routes that direct traffic to
your Secure Web Proxy instance.
This document describes how to configure next hop routing with
Secure Web Proxy. It assumes that you already have a Secure Web Proxy
instance with its RoutingMode
set to NEXT_HOP_ROUTING_MODE
. If you don't
have an existing Secure Web Proxy instance, follow the instructions in the
quickstart guide to create one, ensuring
that you set the RoutingMode
to NEXT_HOP_ROUTING_MODE
.
After you have created a Secure Web Proxy, you can configure either static routing or policy-based routing for your next hop:
- Static routes direct traffic within your network to your Secure Web Proxy in the same region. To set up a static route with Secure Web Proxy as a next hop, you must configure network tags.
- Policy-based routes let you direct traffic to your Secure Web Proxy from a source IP address range. When you configure a policy-based route for the first time, you must also configure another policy-based route to be the default route.
The following sections explain how to create static routes and policy-based routes.
Create static routes
To route traffic to your Secure Web Proxy instance, you can set a up static
route with the gcloud compute routes create
command. You must associate the
static route with a network tag, and use
the same network tag on all of your source resources to help ensure that their
traffic is redirected to Secure Web Proxy. Static routes don't let you define
a source IP address range.
gcloud
Use the following command to create a static route:
gcloud compute routes create STATIC_ROUTE_NAME \ --network=NETWORK_NAME \ --next-hop-ilb=SWP_IP \ --destination-range=DESTINATION_RANGE \ --priority=PRIORITY \ --tags=TAGS \ --project=PROJECT
Replace the following:
STATIC_ROUTE_NAME
: the name that you want for your static routeNETWORK_NAME
: your network nameSWP_IP
: the IP address of yourSecureWebProxy
instance.DESTINATION_RANGE
: the range of IP addresses to which to redirect trafficPRIORITY
: the priority of your route; higher numbers are lower priority.TAGS
: a comma-separated list of tags that you created for your Secure Web ProxyPROJECT
: your project ID
Create policy-based routes
As an alternative to static routing, you can set up a policy-based route
using the network-connectivity policy-based-routes create
command. You also
need to create a policy-based route to be the default route, which enables
default routing for traffic between virtual machine (VM) instances within your
network.
The priority of the route that enables default routing must be higher (numerically lower) than the priority of the policy-based route that directs traffic to the Secure Web Proxy instance. If you create the policy-based route at a higher priority than the route that enables default routing, it takes priority over all other VPC routes.
In the following example, you create a policy-based route that directs traffic to your Secure Web Proxy instance:
gcloud
Use the following command to create the policy-based route:
gcloud network-connectivity policy-based-routes create POLICY_BASED_ROUTE_NAME \ --network="projects/PROJECT/global/networks/NETWORK_NAME" \ --next-hop-ilb-ip=SWP_IP \ --protocol-version="IPV4" \ --destination-range=DESTINATION_RANGE \ --source-range=SOURCE_RANGE \ --priority=2 \ --project=PROJECT
Replace the following:
POLICY_BASED_ROUTE_NAME
: the name that you want for your policy based routeNETWORK_NAME
: your network nameSWP_IP
: the IP address of your Secure Web Proxy instanceDESTINATION_RANGE
: the range of IP addresses to which to redirect trafficSOURCE_RANGE
: the range of IP addresses from which to redirect trafficPROJECT
: your project ID
Next, use the following steps to create the default-routing policy-based route:
gcloud
Use the following command to create the default-routing policy-based route:
gcloud network-connectivity policy-based-routes create DEFAULT_POLICY_BASED_ROUTE_NAME \ --network="projects/PROJECT/global/networks/NETWORK_NAME" \ --next-hop-other-routes="DEFAULT_ROUTING" \ --protocol-version="IPV4" \ --destination-range=DESTINATION_RANGE \ --source-range=SOURCE_RANGE \ --priority=1 \ --project=PROJECT
Replace the following:
DEFAULT_POLICY_BASED_ROUTE_NAME
: the name that you want for your policy-based routeNETWORK_NAME
: your network nameDESTINATION_RANGE
: the range of IP addresses to which to redirect trafficSOURCE_RANGE
: the range of IP addresses from which to redirect trafficPROJECT
: your project ID
Limitations
- Secure Web Proxy as next hop only functions with rules that have TLS
inspection enabled. Rules without TLS inspection can't be used
with Secure Web Proxy instances in
NEXT_HOP_ROUTING_MODE
. For more information about TLS inspection, see TLS inspection overview. SecureWebProxy
instances withRoutingMode
set toNEXT_HOP_ROUTING_MODE
only support HTTP(S) traffic. Other types of traffic, as well as cross-region traffic, is dropped without notification.- When you use
next-hop-ilb
, the limitations that apply to internal passthrough Network Load Balancers apply to next hops if the destination next hop is a Secure Web Proxy instance. For more information, see the next hops and features tables for static routes.