To centralize your Secure Web Proxy deployment when there are multiple networks, you can add Secure Web Proxy as a Private Service Connect service attachment.
You can deploy Secure Web Proxy as a Private Service Connect service attachment as follows:
- Add Secure Web Proxy as a Private Service Connect service attachment on the producer side of a Private Service Connect connection.
- Create a Private Service Connect consumer endpoint in each VPC network that needs to be connected to the Private Service Connect service attachment.
- Point your workload egress traffic to the centralized Secure Web Proxy within the region and apply policies to this traffic.
Deploy Secure Web Proxy as a Private Service Connect service attachment using a hub and spoke model
Console
Deploy Secure Web Proxy as a service attachment in the central (Hub) Virtual Private Cloud (VPC) network.
For more information, see Publish services by using Private Service Connect.
Point the source workload to the Secure Web Proxy by creating a Private Service Connect endpoint in the VPC network that includes the workload.
For more information, see Create an endpoint.
Create a policy with a rule that allows traffic from the workload (identified by the source IP address) to a particular destination (For example: example.com).
Create a policy with a rule that blocks traffic from the workload (identified by the source IP address) to a particular destination (For example: altostrat.com).
For more information, see Create a Secure Web Proxy policy.
gcloud
Deploy Secure Web Proxy as a service attachment in the central (Hub) VPC network.
gcloud compute service-attachments create SERVICE_ATTACHMENT_NAME \ --target-service=SWP_INSTANCE \ --connection-preference ACCEPT_AUTOMATIC \ --nat-subnets NAT_SUBNET_NAME \ --region REGION \ --project PROJECT
Replace the following:
SERVICE_ATTACHMENT_NAM: the name of the service attachmentSWP_INSTANCE: the URL to access the Secure Web Proxy instanceNAT_SUBNET_NAME: the name of the Cloud NAT subnetREGION: the region of the Secure Web Proxy deploymentPROJECT: the project of the deployment
Create a Private Service Connect endpoint in the VPC network that includes the workload.
gcloud compute forwarding-rules create ENDPOINT_NAME \ --region REGION \ --target-service-attachment=SERVICE_ATTACHMENT_NAME \ --project PROJECT \ --network NETWORK \ --subnet SUBNET \ --address= ADDRESS
Replace the following:
ENDPOINT_NAM: the name of the Private Service Connect endpointREGION: the region of the Secure Web Proxy deploymentSERVICE_ATTACHMENT_NAME: the name of the service attachment created earlierPROJECT: the project of the deploymentNETWORK: the VPC network within which the endpoint is createdSUBNET: the subnet of the deploymentADDRESS: the address of the endpoint
Point the workload to the Secure Web Proxy by using a proxy variable.
Create a policy with a rule that allows traffic from the workload (identified by the source IP address) to a particular destination (For example: example.com).
Create a policy with a rule that blocks traffic from the workload (identified by the source IP address) to a particular destination (For example: altostrat.com).
What's next?
- Configure TLS inspection
- Use tags to create policies
- Assign static IP addresses for egress traffic
- Additional considerations for Private Service Connect service attachment mode