Secure Web Proxy is a cloud first service that helps you secure egress web traffic (HTTP/S). You configure your clients to explicitly use Secure Web Proxy as a gateway. The web requests can originate from the following sources:
- Virtual machine (VM) instances
- Containers
- A serverless environment that uses a serverless connector
- Workloads outside of Google Cloud connected by Cloud VPN or Cloud Interconnect
Secure Web Proxy enables flexible and granular policies based on cloud first identities and web applications.
Deployment modes
You can deploy Secure Web Proxy in the following ways:
Explicit proxy routing mode
You can configure your workload environments and clients to explicitly use the proxy server. Secure Web Proxy isolates clients from the Internet by creating new TCP connections on behalf of the client, while adhering to the administered security policy.
For detailed instructions, see Deploy a Secure Web Proxy instance.
Private Service Connect service attachment mode
To centralize your Secure Web Proxy deployment when there are multiple networks, you can use Network Connectivity Center. But there are some limitations when you try to scale up with Network Connectivity Center. Adding Secure Web Proxy as a Private Service Connect service attachment overcomes such limitations. You can deploy Secure Web Proxy as follows:
- Add Secure Web Proxy as a Private Service Connect service attachment on the producer side of a Private Service Connect connection.
- Create a Private Service Connect consumer endpoint in each VPC network that needs to be connected to the Private Service Connect service attachment.
- Point your workload egress traffic to the centralized Secure Web Proxy within the region and apply policies to this traffic.
The deployment works in a hub and spoke fashion, where the Secure Web Proxy is on the egress path for workloads in the various connected VPC networks.
For detailed instructions, see Deploy Secure Web Proxy as a service attachment.
Secure Web Proxy as next hop
You can configure your Secure Web Proxy deployment to act as a next hop for routing in your network. Configuring next hop routing to point traffic sources to your Secure Web Proxy instance reduces the administrative overhead of configuring an explicit proxy variable for each source workload. For more information about configuring next hop routing, see Deploy Secure Web Proxy as next hop.
Solutions that Secure Web Proxy supports
Secure Web Proxy supports the following solutions.
Migration to Google Cloud
Secure Web Proxy helps you migrate to Google Cloud while keeping your existing security policies and requirements for egress web traffic. You can avoid using third-party solutions that require using another management console or manually editing configuration files.
Access to trusted external web services
Secure Web Proxy lets you apply granular access policies to your egress web traffic so that you can secure your network. You create and identify workload or application identities, and then apply policies to web locations.
Monitored access to untrusted web services
You can use Secure Web Proxy to provide monitored access to untrusted web services. Secure Web Proxy identifies traffic that doesn't conform to policy and logs it to Cloud Logging (Logging). You can then monitor internet usage, discover threats to your network, and respond to threats.
Secure Web Proxy benefits
Secure Web Proxy provides the following benefits.
Operational time savings
Secure Web Proxy doesn't have VMs to set up and configure, doesn't require software updates to maintain security, and offers elastic scaling. After initial policy configuration, a regional Secure Web Proxy instance works out of the box. Secure Web Proxy provides tools to simplify setup, testing, and deployment so that you can focus on other tasks.
Flexible deployment
Secure Web Proxy supports basic and flexible deployments. Secure Web Proxy instances, Secure Web Proxy policies, and URL lists are all modular objects that can be created or reused by distinct administrators. For example, you can deploy multiple Secure Web Proxy instances that all use the same Secure Web Proxy policy.
Improved security
Default Secure Web Proxy configurations and policies are deny-all by default. Furthermore, Google Cloud automatically updates Secure Web Proxy software and infrastructure, reducing the risks of security vulnerabilities.
Supported features
Secure Web Proxy supports the following features:
Autoscaling Secure Web Proxy Envoy proxies: Supports automatically adjusting the Envoy proxy pool size and the pool's capacity in a region, which enables consistent performance during high-demand periods at the lowest cost.
Modular egress access policies: Secure Web Proxy specifically supports the following egress policies:
- Source-identity based on secure tags, service accounts, or IP addresses.
- Destinations based on URLs, hostnames.
- Requests based on methods, headers, or URLs. URLs can be specified by using lists, wildcards, or patterns.
End-to-end encryption: Client-proxy tunnels might transit over TLS. Secure Web Proxy also supports HTTP/S
CONNECT
for client-initiated, end-to-end TLS connections to the destination server.Cloud Audit Logs and Google Cloud Observability integration: Cloud Audit Logs and Google Cloud Observability record administrative activities and access requests for Secure Web Proxy-related resources. They also record metrics and transaction logs for requests handled by the proxy.
Additional Google Cloud tools to consider
Google Cloud provides the following tools for your Google Cloud deployments:
Use Google Cloud Armor to protect Google Cloud deployments from multiple threats, including distributed denial-of-service (DDoS) attacks and application attacks like cross-site scripting (XSS) and SQL injection (SQLi).
Specify VPC firewall rules to secure connections to or from your VM instances.
Implement VPC Service Controls to prevent data exfiltration from Google Cloud services, such as Cloud Storage and BigQuery.
Use Cloud NAT to enable unsecured outbound internet connectivity for certain Google Cloud resources without an external IP address.