Organízate con las colecciones
Guarda y clasifica el contenido según tus preferencias.
En este documento se describen los pasos de configuración iniciales necesarios para usar el proxy web seguro.
Para poder usar el proxy web seguro, debes completar la siguiente configuración:
Obtén los roles de Gestión de Identidades y Accesos necesarios.
Crea o selecciona un Google Cloud proyecto.
Habilita la facturación y las Google Cloud APIs correspondientes.
Crea subredes de proxy.
Sube un certificado SSL a Gestor de certificados.
Esta configuración solo es necesaria la primera vez que uses el proxy web seguro.
Obtener roles de gestión de identidades y accesos
Para obtener permisos, sigue estos pasos:
Para obtener los permisos que necesitas para aprovisionar una instancia de Secure Web Proxy, pide a tu administrador que te conceda los siguientes roles de gestión de identidades y accesos en tu proyecto:
Para configurar políticas y aprovisionar una instancia de Secure Web Proxy, sigue estos pasos:
Rol Administrador de red de Compute (roles/compute.networkAdmin)
Para subir certificados TLS de proxy web seguro explícitos, siga estos pasos:
Rol Editor de Gestor de certificados (roles/certificatemanager.editor)
Opcional: Si tienes un conjunto de usuarios responsables de la gestión continua de las políticas, concédeles el rol Administrador de políticas de seguridad (roles/compute.orgSecurityPolicyAdmin) para que puedan gestionar las políticas de seguridad.
Crea un Google Cloud proyecto
Para crear o seleccionar un Google Cloud proyecto, sigue estos pasos:
Crea una subred de proxy para cada región en la que implementes el proxy web seguro.
Crea una subred de al menos /26, o 64 direcciones de solo proxy. Te recomendamos que uses una subred de tamaño /23, es decir, 512 direcciones de solo proxy, ya que la conectividad de Secure Web Proxy se proporciona mediante un conjunto de direcciones IP reservadas para Secure Web Proxy. Este grupo se usa para asignar direcciones IP únicas en el lado de salida de cada proxy para interactuar con Cloud NAT y los destinos de la red de VPC.
PROXY_SUBNET_NAME: el nombre que quieras asignar a tu subred de proxy
REGION: la región en la que se va a implementar la subred de proxy
NETWORK_NAME: el nombre de tu red
IP_RANGE: el intervalo de subred, como 192.168.0.0/23
Implementar un certificado SSL
Los certificados SSL son opcionales para el proxy web seguro. Para implementar certificados con Certificate Manager, utiliza uno de los siguientes métodos:
[[["Es fácil de entender","easyToUnderstand","thumb-up"],["Me ofreció una solución al problema","solvedMyProblem","thumb-up"],["Otro","otherUp","thumb-up"]],[["Es difícil de entender","hardToUnderstand","thumb-down"],["La información o el código de muestra no son correctos","incorrectInformationOrSampleCode","thumb-down"],["Me faltan las muestras o la información que necesito","missingTheInformationSamplesINeed","thumb-down"],["Problema de traducción","translationIssue","thumb-down"],["Otro","otherDown","thumb-down"]],["Última actualización: 2025-09-10 (UTC)."],[],[],null,["This document describes the initial setup steps required to use Secure Web Proxy.\n\nBefore you can use Secure Web Proxy, complete the following setup:\n\n- Obtain necessary Identity and Access Management roles.\n- Create or select a Google Cloud project.\n- Enable billing and relevant Google Cloud APIs.\n- Create proxy subnets.\n- Upload an SSL certificate to Certificate Manager.\n\nThis setup is only required the first time you use Secure Web Proxy.\n\nObtain IAM roles\n\nTo obtain permissions, follow these steps:\n\n1.\n\n To get the permissions that\n you need to provision a Secure Web Proxy instance,\n\n ask your administrator to grant you the\n following IAM roles on your project:\n\n - To configure policies and provision a Secure Web Proxy instance: [Compute Network Admin role](/iam/docs/roles-permissions/compute#compute.networkAdmin) (`roles/compute.networkAdmin`)\n - To upload explicit Secure Web Proxy TLS certificates: [Certificate Manager Editor role](/iam/docs/roles-permissions/certificatemanager#certificatemanager.editor) (`roles/certificatemanager.editor`)\n\n\n For more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\n You might also be able to get\n the required permissions through [custom\n roles](/iam/docs/creating-custom-roles) or other [predefined\n roles](/iam/docs/roles-overview#predefined).\n2. Optional: If you have a set of users responsible for ongoing policy\n management, grant them the Security Policy Admin role\n (`roles/compute.orgSecurityPolicyAdmin`) to let them manage security\n policies.\n\nCreate a Google Cloud project\n\nTo create or select a Google Cloud project, follow these steps: \n\nConsole\n\nIn the Google Cloud console, on the project selector page, select or\n[create a Google Cloud project](/resource-manager/docs/creating-managing-projects).\n\n[Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n\nCloud Shell\n\n- Create a Google Cloud project:\n\n gcloud projects create \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with the project ID that you\n want.\n- Select the Google Cloud project that you created:\n\n gcloud config set project \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e\n\nEnable billing\n\nMake sure that billing is enabled for your Google Cloud project. For more\ninformation, see [Enable, disable, or change billing for a project](/billing/docs/how-to/modify-project)\nand [Verify the billing status of your projects](/billing/docs/how-to/verify-billing-enabled).\n\nEnable the required APIs\n\nYou must enable the following Google Cloud APIs:\n\n- `compute.googleapis.com`\n- `certificatemanager.googleapis.com`\n- `networkservices.googleapis.com`\n- `networksecurity.googleapis.com`\n- `privateca.googleapis.com` (optional)\n\nTo enable the required Google Cloud APIs, do the following: \n\nConsole\n\n1. Enable the Compute Engine API.\n\n [Enable the API](https://console.cloud.google.com/apis/enableflow?apiid=compute)\n2. Enable the Certificate Manager API.\n\n [Enable the API](https://console.cloud.google.com/apis/enableflow?apiid=certificatemanager)\n3. Enable the Network Services API.\n\n [Enable the API](https://console.cloud.google.com/apis/enableflow?apiid=networkservices)\n4. Enable the Network Security API.\n\n [Enable the API](https://console.cloud.google.com/apis/enableflow?apiid=networksecurity)\n5. Optional: If you plan to [configure TLS inspection](/secure-web-proxy/docs/enable-tls-inspection)\n for your proxy, then you must enable the Certificate Authority Service API.\n\n [Enable the API](https://console.cloud.google.com/apis/enableflow?apiid=privateca)\n\ngcloud\n\nRun the following command: \n\n```\n gcloud services enable \\\n --compute.googleapis.com \\\n --certificatemanager.googleapis.com \\\n --networkservices.googleapis.com \\\n --networksecurity.googleapis.com \\\n --privateca.googleapis.com\n```\n\nCreate a proxy subnet\n\nCreate a proxy subnet for each region that you deploy Secure Web Proxy in.\nCreate a subnet size of at least /26, or 64 proxy-only addresses. We recommend\na subnet size of /23, or 512 proxy-only addresses, because Secure Web Proxy\nconnectivity is provided by a pool of IP addresses reserved for\nSecure Web Proxy. This pool is used to allocate unique IP addresses on the\negress side of each proxy for interaction with Cloud NAT and destinations in\nthe VPC network.\n**Important:** This subnet is *not* referenced when creating a Secure Web Proxy instance. For more information, see [Proxy-only subnets for Envoy-based load balancers](/load-balancing/docs/proxy-only-subnets). \n\ngcloud \n\n gcloud compute networks subnets create \u003cvar translate=\"no\"\u003ePROXY_SUBNET_NAME\u003c/var\u003e \\\n --purpose=REGIONAL_MANAGED_PROXY \\\n --role=ACTIVE \\\n --region=\u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e \\\n --network=\u003cvar translate=\"no\"\u003eNETWORK_NAME\u003c/var\u003e \\\n --range=\u003cvar translate=\"no\"\u003eIP_RANGE\u003c/var\u003e\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROXY_SUBNET_NAME\u003c/var\u003e: the name that you want for your proxy subnet\n- \u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e: the region to deploy the proxy subnet in\n- \u003cvar translate=\"no\"\u003eNETWORK_NAME\u003c/var\u003e: your network name\n- \u003cvar translate=\"no\"\u003eIP_RANGE\u003c/var\u003e: the subnet range, such as `192.168.0.0/23`\n\nDeploy an SSL certificate\n\nSSL certificates are optional for Secure Web Proxy. To deploy certificates\nusing Certificate Manager, use any of the following methods:\n\n- Deploy a regional Google-managed certificate with per-project DNS\n authorization. For more information, see [Deploy a regional Google-managed certificate](/certificate-manager/docs/deploy-google-managed-regional).\n\n- Deploy a regional Google-managed certificate with Certificate Authority Service. For\n more information, see [Deploy a regional Google-managed certificate with CA Service](/certificate-manager/docs/deploy-google-managed-cas-regional).\n\n- Deploy a regional self-managed certificate.\n\n The following example shows how to deploy a regional self-managed certificate using Certificate Manager.\n\n \u003cbr /\u003e\n\n1. To create an SSL certificate:\n\n openssl req -x509 -newkey rsa:2048 \\\n -keyout \u003cvar translate=\"no\"\u003eKEY_PATH\u003c/var\u003e \\\n -out \u003cvar translate=\"no\"\u003eCERTIFICATE_PATH\u003c/var\u003e -days 365 \\\n -subj '/CN=\u003cvar translate=\"no\"\u003eSWP_HOST_NAME\u003c/var\u003e' -nodes -addext \\\n \"subjectAltName=DNS:\u003cvar translate=\"no\"\u003eSWP_HOST_NAME\u003c/var\u003e\"\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eKEY_PATH\u003c/var\u003e: the path to save the key, such as `~/key.pem`\n - \u003cvar translate=\"no\"\u003eCERTIFICATE_PATH\u003c/var\u003e: the path to save the certificate, such as `~/cert.pem`\n - \u003cvar translate=\"no\"\u003eSWP_HOST_NAME\u003c/var\u003e: the hostname for your Secure Web Proxy instance, such as `myswp.example.com`\n2. To upload the SSL certificate to Certificate Manager:\n\n gcloud certificate-manager certificates create \u003cvar translate=\"no\"\u003eCERTIFICATE_NAME\u003c/var\u003e \\\n --certificate-file=\u003cvar translate=\"no\"\u003eCERTIFICATE_PATH\u003c/var\u003e \\\n --private-key-file=\u003cvar translate=\"no\"\u003eKEY_PATH\u003c/var\u003e \\\n --location=\u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eCERTIFICATE_NAME\u003c/var\u003e: the name of your certificate\n - \u003cvar translate=\"no\"\u003eCERTIFICATE_PATH\u003c/var\u003e: the path to the certificate file\n - \u003cvar translate=\"no\"\u003eKEY_PATH\u003c/var\u003e: the path to the key file\n\n For more information about SSL certificates, see\n [SSL certificates overview](/load-balancing/docs/ssl-certificates).\n\nWhat's next\n\n- [Deploy and test a Secure Web Proxy instance](/secure-web-proxy/docs/quickstart)\n- [Use tags to create policies](/secure-web-proxy/docs/use-tags)\n- [Use a URL list to create policies](/secure-web-proxy/docs/use-url-list)\n- [Assign static IP addresses for egress traffic](/secure-web-proxy/docs/assign-static-ip-addresses-for-egress-traffic)"]]