Known limitations

This guide describes the known limitations of Secure Web Proxy.

Cloud NAT limitations

Each Secure Web Proxy instance requires a Cloud NAT gateway that is enabled only for the Secure Web Proxy endpoints in that region. The first Secure Web Proxy provisioned in a Virtual Private Cloud (VPC) network region also provisions a Cloud NAT gateway. The Cloud NAT gateway enables egress for all Secure Web Proxy instances in that virtual network and region.

Only IPv4 is supported

Secure Web Proxy only supports IPv4. IPv6 is not supported.

Internal IP addresses are regional

Secure Web Proxy allocates virtual IP addresses within a region. The virtual IP addresses are reachable only in the region that they are assigned. Also, Secure Web Proxy instances are provisioned in a region within a VPC network. As a result, IPv4 addresses must be allocated from within a subnet of the region that the Secure Web Proxy instance is located in.

The following describes how Secure Web Proxy allocates IP addresses:

  • If an unreserved IP address is specified during provisioning, then that IP address is used.
  • If an IP address isn't specified but a subnet and network are specified, then an IP address is automatically allocated within the specified subnet.
  • If an IP address, subnet, and network aren't specified, then an IP address is automatically allocated within the default subnet of the default network.

IP provisioning fails if none of the preceding items are met.

The IP addresses allocated by Secure Web Proxy are virtual IPs and are assigned to a group of proxies distributed across multiple cells within a region. Secure Web Proxy acts as an explicit proxy server, which requires clients to have connectivity to the virtual IP address to pass egress HTTP(S) traffic. Clients that have connectivity to the virtual IP address can access Secure Web Proxy through the following methods:

  • VPC Network Peering
  • Shared VPC
  • On-premises by using Cloud VPN or Cloud Interconnect

Supported HTTP versions

HTTP versions 0.9, 1.0, 1.1, and 2.0 are supported. HTTP 3 is not supported.

Secure Web Proxy in Shared VPC

You can only deploy Secure Web Proxy in a host project. You cannot deploy Secure Web Proxy in a service project.

Security rule creation race condition

When you create a large number of Secure Web Proxy security rules in parallel by using Terraform, you may encounter a race condition. As a workaround, use the terraform apply command with --parallelism=1.

Secure Web Proxy in Private Service Connect

Secure Web Proxy does not support RoutingMode set to NEXT_HOP_ROUTING_MODE with Private Service Connect service attachment.