Deploy Secure Web Proxy as next hop

By default, SecureWebProxy instances have a RoutingMode value of EXPLICIT_ROUTING_MODE, which means that you must configure your workloads to explicitly send HTTP(S) traffic to Secure Web Proxy. Instead of configuring individual clients to point to your Secure Web Proxy instance, you can set your Secure Web Proxy instance's RoutingMode to NEXT_HOP_ROUTING_MODE, which lets you define routes that direct traffic to your Secure Web Proxy instance.

This document describes how to configure next hop routing with Secure Web Proxy. It assumes that you already have a Secure Web Proxy instance with its RoutingMode set to NEXT_HOP_ROUTING_MODE. If you don't have an existing Secure Web Proxy instance, follow the instructions in the quickstart guide to create one, ensuring that you set the RoutingMode to NEXT_HOP_ROUTING_MODE.

After you have created a Secure Web Proxy, you can configure either static routing or policy-based routing for your next hop:

  • Static routes direct traffic within your network to your Secure Web Proxy in the same region. To set up a static route with Secure Web Proxy as a next hop, you must configure network tags.
  • Policy-based routes let you direct traffic to your Secure Web Proxy from a source IP address range. When you configure a policy-based route for the first time, you must also configure another policy-based route to be the default route.

The following sections explain how to create static routes and policy-based routes.

Create static routes

To route traffic to your Secure Web Proxy instance, you can set a up static route with the gcloud compute routes create command. You must associate the static route with a network tag, and use the same network tag on all of your source resources to help ensure that their traffic is redirected to Secure Web Proxy. Static routes don't let you define a source IP address range.

gcloud

Use the following command to create a static route:

gcloud compute routes create STATIC_ROUTE_NAME \
    --network=NETWORK_NAME \
    --next-hop-ilb=SWP_IP \
    --destination-range=DESTINATION_RANGE \
    --priority=PRIORITY \
    --tags=TAGS \
    --project=PROJECT

Replace the following:

  • STATIC_ROUTE_NAME: the name that you want for your static route
  • NETWORK_NAME: your network name
  • SWP_IP: the IP address of your SecureWebProxy instance.
  • DESTINATION_RANGE: the range of IP addresses to which to redirect traffic
  • PRIORITY: the priority of your route; higher numbers are lower priority.
  • TAGS: a comma-separated list of tags that you created for your Secure Web Proxy
  • PROJECT: your project ID

Create policy-based routes

As an alternative to static routing, you can set up a policy-based route using the network-connectivity policy-based-routes create command. You also need to create a policy-based route to be the default route, which enables default routing for traffic between virtual machine (VM) instances within your network.

The priority of the route that enables default routing must be higher (numerically lower) than the priority of the policy-based route that directs traffic to the Secure Web Proxy instance. If you create the policy-based route at a higher priority than the route that enables default routing, it takes priority over all other VPC routes.

In the following example, you create a policy-based route that directs traffic to your Secure Web Proxy instance:

gcloud

Use the following command to create the policy-based route:

gcloud network-connectivity policy-based-routes create POLICY_BASED_ROUTE_NAME \
    --network="projects/PROJECT/global/networks/NETWORK_NAME" \
    --next-hop-ilb-ip=SWP_IP \
    --protocol-version="IPV4" \
    --destination-range=DESTINATION_RANGE \
    --source-range=SOURCE_RANGE \
    --priority=2 \
    --project=PROJECT

Replace the following:

  • POLICY_BASED_ROUTE_NAME: the name that you want for your policy based route
  • NETWORK_NAME: your network name
  • SWP_IP: the IP address of your Secure Web Proxy instance
  • DESTINATION_RANGE: the range of IP addresses to which to redirect traffic
  • SOURCE_RANGE: the range of IP addresses from which to redirect traffic
  • PROJECT: your project ID

Next, use the following steps to create the default-routing policy-based route:

gcloud

Use the following command to create the default-routing policy-based route:

gcloud network-connectivity policy-based-routes create DEFAULT_POLICY_BASED_ROUTE_NAME \
    --network="projects/PROJECT/global/networks/NETWORK_NAME" \
    --next-hop-other-routes="DEFAULT_ROUTING" \
    --protocol-version="IPV4" \
    --destination-range=DESTINATION_RANGE \
    --source-range=SOURCE_RANGE \
    --priority=1 \
    --project=PROJECT

Replace the following:

  • DEFAULT_POLICY_BASED_ROUTE_NAME: the name that you want for your policy-based route
  • NETWORK_NAME: your network name
  • DESTINATION_RANGE: the range of IP addresses to which to redirect traffic
  • SOURCE_RANGE: the range of IP addresses from which to redirect traffic
  • PROJECT: your project ID

Limitations

  • Secure Web Proxy as next hop only functions with rules that have TLS inspection enabled. Rules without TLS inspection can't be used with Secure Web Proxy instances in NEXT_HOP_ROUTING_MODE. For more information about TLS inspection, see TLS inspection overview.
  • SecureWebProxy instances with RoutingMode set to NEXT_HOP_ROUTING_MODE only support HTTP(S) traffic. Other types of traffic, as well as cross-region traffic, is dropped without notification.
  • When you use next-hop-ilb, the limitations that apply to internal passthrough Network Load Balancers apply to next hops if the destination next hop is a Secure Web Proxy instance. For more information, see the next hops and features tables for static routes.