Known limitations

Stay organized with collections Save and categorize content based on your preferences.

This guide describes the known limitations of Secure Web Proxy.

Regional HTTP(S) load balancer limitation

Regional internal and external HTTP(S) load balancers can't be provisioned in the same network and region as Secure Web Proxy.

Cloud NAT limitations

Each Secure Web Proxy instance requires a Cloud NAT gateway that is enabled only for the Secure Web Proxy endpoints in that region. The first Secure Web Proxy provisioned in a Virtual Private Cloud (VPC) network region also provisions a Cloud NAT gateway. The Cloud NAT gateway enables egress for all Secure Web Proxy instances in that virtual network and region.

Regional and network limitations on identities

Service account and secure tag identity information is accessible only from VMs within the same region and network as the provisioned Secure Web Proxy instance. Client identity information is also not accessible across VPC Network Peering, even within the same project.

Only IPv4 is supported

Secure Web Proxy only supports IPv4. IPv6 is not supported.

Internal IP addresses are regional

Secure Web Proxy allocates virtual IP addresses within a region. The virtual IP addresses are reachable only in the region that they are assigned. Also, Secure Web Proxy instances are provisioned in a region within a VPC network. As a result, IPv4 addresses must be allocated from within a subnet of the region that the Secure Web Proxy instance is located in.

The following describes how Secure Web Proxy allocates IP addresses:

  • If an unreserved IP address is specified during provisioning, then that IP address is used.
  • If an IP address isn't specified but a subnet and network are specified, then an IP address is automatically allocated within the specified subnet.
  • If an IP address, subnet, and network aren't specified, then an IP address is automatically allocated within the default subnet of the default network.

IP provisioning fails if none of the preceding items are met.

The IP addresses allocated by Secure Web Proxy are virtual IPs and are assigned to a group of proxies distributed across multiple cells within a region. Secure Web Proxy acts as an explicit proxy server, which requires clients to have connectivity to the virtual IP address to pass egress HTTP(S) traffic. Clients that have connectivity to the virtual IP address can access Secure Web Proxy through the following methods:

  • VPC Network Peering
  • Shared VPC
  • On-premises by using Cloud VPN or Cloud Interconnect

TLS encrypted traffic and HTTPS

Security policies have reduced access to request attributes for traffic encrypted with TLS between the client and the destination. This encryption is distinct from the optional TLS between the client and Secure Web Proxy.

Source information and destination host are available. However, path, HTTP method, and headers are not. As a result, using the request attributes in a GatewaySecurityPolicyRule ApplicationMatcher implicitly implies matching on HTTP traffic but not on HTTPS traffic.