Initial setup steps

This document describes the initial setup steps required to use Secure Web Proxy.

Before you can use Secure Web Proxy, complete the following setup:

  • Obtain necessary Identity and Access Management roles.
  • Create or select a Google Cloud project.
  • Enable billing and relevant Google Cloud APIs.
  • Create proxy subnets.
  • Upload an SSL certificate to Certificate Manager.

This setup is only required the first time you use Secure Web Proxy.

Obtain IAM roles

To obtain permissions, follow these steps:

  1. To get the permissions that you need to provision a Secure Web Proxy instance, ask your administrator to grant you the following IAM roles on your project:

    For more information about granting roles, see Manage access.

    You might also be able to get the required permissions through custom roles or other predefined roles.

  2. Optional: If you have a set of users responsible for ongoing policy management, grant them the Security Policy Admin role (roles/compute.orgSecurityPolicyAdmin) to let them manage security policies.

Create a Google Cloud project

To create or select a Google Cloud project, follow these steps:


In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Cloud Shell

  • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

    Replace PROJECT_ID with the project ID that you want.

  • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

Enable billing and APIs

To enable billing and relevant Google Cloud APIs, follow these steps:

  1. Make sure that billing is enabled for your Google Cloud project. Learn how to verify the billing status of your projects.

  2. Enable the Compute Engine API.

    Enable the API

Create a proxy subnet

Create a proxy subnet for each region that you deploy Secure Web Proxy in. Create a subnet size of at least /26, or 64 proxy-only addresses. We recommend a subnet size of /23, or 512 proxy-only addresses, because Secure Web Proxy connectivity is provided by a pool of IP addresses reserved for Secure Web Proxy. This pool is used to allocate unique IP addresses on the egress side of each proxy for interaction with Cloud NAT and destinations in the VPC network.


 gcloud compute networks subnets create PROXY_SUBNET_NAME \
    --role=ACTIVE \
    --region=REGION \
    --network=NETWORK_NAME \

Replace the following:

  • PROXY_SUBNET_NAME: the name that you want for your proxy subnet
  • REGION: the region to deploy the proxy subnet in
  • NETWORK_NAME: your network name
  • IP_RANGE: the subnet range, such as

Deploy an SSL certificate

To deploy certificates using Certificate Manager, use any of the following methods:

  1. To create an SSL certificate:

    openssl req -x509 -newkey rsa:2048 \
      -keyout KEY_PATH \
      -out CERTIFICATE_PATH -days 365 \
      -subj '/CN=SWP_HOST_NAME' -nodes -addext \

    Replace the following:

    • KEY_PATH: the path to save the key, such as ~/key.pem
    • CERTIFICATE_PATH: the path to save the certificate, such as ~/cert.pem
    • SWP_HOST_NAME: the hostname for your Secure Web Proxy instance, such as
  2. To upload the SSL certificate to Certificate Manager:

    gcloud certificate-manager certificates create CERTIFICATE_NAME \
       --certificate-file=CERTIFICATE_PATH \
       --private-key-file=KEY_PATH \

    Replace the following:

    • CERTIFICATE_NAME: the name of your certificate
    • CERTIFICATE_PATH: the path to the certificate file
    • KEY_PATH: the path to the key file

    For more information about SSL certificates, see SSL certificates overview.

What's next