Initial setup steps

Stay organized with collections Save and categorize content based on your preferences.

This document describes the initial setup steps required to use Secure Web Proxy.

Before you can use Secure Web Proxy, complete the following setup:

  • Obtain necessary Identity and Access Management roles.
  • Create or select a Google Cloud project.
  • Enable billing and relevant Google Cloud APIs.
  • Create proxy subnets.
  • Upload an SSL certificate to Certificate Manager.

This setup is only required the first time you use Secure Web Proxy.

Obtain IAM roles

To obtain permissions, follow these steps:

  1. To get the permissions that you need to provision a Secure Web Proxy instance, ask your administrator to grant you the following IAM roles on your project:

    • To configure policies and provision a Secure Web Proxy instance: Compute Network Admin role (roles/compute.networkAdmin)
    • To upload explicit Secure Web Proxy TLS certificates: Certificate Manager Editor role (roles.certificatemanager.editor)

    For more information about granting roles, see Manage access.

  2. Optional: If you have a set of users responsible for ongoing policy management, grant them the Security Policy Admin role (roles/compute.orgSecurityPolicyAdmin) to let them manage security policies.

Create a Google Cloud project

To create or select a Google Cloud project, follow these steps:


In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Cloud Shell

  • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

    Replace PROJECT_ID with the project ID that you want.

  • Select the Cloud project that you created:

      gcloud config set project PROJECT_ID

Enable billing and APIs

To enable billing and relevant Google Cloud APIs, follow these steps:

  1. Make sure that billing is enabled for your Google Cloud project. Learn how to verify the billing status of your projects.

  2. Enable the Compute Engine API.

    Enable the API

  3. Contact your sales representative to allowlist your project for Secure Web Proxy.

Create a proxy subnet

Create a proxy subnet for each region that you deploy Secure Web Proxy in. Create a subnet size of at least /26, or 64 proxy-only addresses. We recommend a subnet size of /23, or 512 proxy-only addresses, because Secure Web Proxy connectivity is provided by a pool of IP addresses reserved for Secure Web Proxy. This pool is used to allocate unique IP addresses on the egress side of each proxy for interaction with Cloud NAT and destinations in the VPC network.


 gcloud compute networks subnets create PROXY_NAME \
    --role=ACTIVE \
    --region=REGION \
    --network=NETWORK_NAME \

Replace the following:

  • PROXY_NAME: the name that you want for your proxy
  • REGION: the region to deploy the proxy subnet in
  • NETWORK_NAME: your network name
  • IP_RANGE: the subnet range, such as

Secure Web Proxy can't be provisioned in the same region as an internal HTTP(S) load balancer or a regional external HTTP(S) load balancer.

Create and upload an SSL certificate

  1. To create an SSL certificate:

    openssl req -x509 -newkey rsa:2048 \
      -keyout KEY_PATH \
      -out CERTIFICATE_PATH -days 365 \
      -subj '/CN=SWP_HOST_NAME' -nodes -addext \
      "subjectAltName = DNS:SWP_HOST_NAME"

    Replace the following:

    • KEY_PATH: the path to save the key, such as ~/key.pem
    • CERTIFICATE_PATH: the path to save the certificate, such as ~/cert.pem
    • SWP_HOST_NAME: the hostname for your Secure Web Proxy instance, such as
  2. To upload the SSL certificate to Certificate Manager:

    gcloud certificate-manager certificates create CERTIFICATE_NAME \
       --certificate-file=CERTIFICATE_PATH \
       --private-key-file=KEY_PATH \

    Replace the following:

    • CERTIFICATE_NAME: the name of your certificate
    • CERTIFICATE_PATH: the path to the certificate file
    • KEY_PATH: the path to the key file

    For more information about SSL certificates, see SSL certificates overview.

What's next