Deploy a Secure Web Proxy instance
Stay organized with collections
Save and categorize content based on your preferences.
This quickstart shows you how to deploy and test a Secure Web Proxy instance.
Before you begin
Complete initial setup steps.
Optional: Install the Google Cloud CLI in any one of the following development environments if you want to run the
command-line examples specified in this guide:To use an online terminal with the gcloud CLI already set up, activate Cloud Shell:
At the end of this page, a Cloud Shell session starts and displays a command-line prompt. It can take a few seconds for the session to initialize.
To use a local development environment, follow these steps:
Create or select a Google Cloud project.
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Create a Google Cloud project:
gcloud projects create
with the project ID that you want.Select the Google Cloud project that you created:
gcloud config set project
Create a Linux virtual machine (VM) instance:
gcloud compute instances create swp-test-vm \ --subnet=default \ --zone=
ZONE \ --image-project=debian-cloud \ --image-family=debian-11Compute Engine grants the user who creates the VM with the Compute Instance Admin role (
). Compute Engine also adds that user to the sudo group.Create a firewall rule:
gcloud compute firewall-rules create default-allow-ssh \ --direction=INGRESS \ --priority=1000 \ --network=default \ --action=ALLOW \ --rules=tcp:22 \ --source-ranges=
Create a Secure Web Proxy policy
In the Google Cloud console, go to the Secure Web Proxy page.
Click the Policies tab.
Click Create a policy.
Enter a name for the policy that you want to create, such as
.Enter a description of the policy, such as
My new swp policy
.In the Regions list, select the region where you want to create the web proxy policy.
In the TLS inspection policy list, select the TLS inspection policy that you created. The TLS inspection policy appears in the list only if you created it.
If you want to create rules for your policy, then click Add rule. For more information, see Create Secure Web Proxy rules.
Click Create.
Some web proxy policies require that traffic be TLS encrypted for evaluation. Depending on whether you want TLS encryption, use any of the following methods to create a policy:
Create a policy with the TLS inspection configuration.
To enable TLS inspection, perform the procedure described in Enable TLS inspection and then create the file
:description: basic Secure Web Proxy policy name: projects/
PROJECT_ID /locations/REGION /gatewaySecurityPolicies/policy1 tlsInspectionPolicy: projects/PROJECT_ID /locations/REGION /tlsInspectionPolicies/TLS_INSPECTION_NAME Create a policy without the TLS inspection configuration.
If you do not want to enable TLS inspection, create the file
:description: basic Secure Web Proxy policy name: projects/
PROJECT_ID /locations/REGION /gatewaySecurityPolicies/policy1
Create the Secure Web Proxy policy:
gcloud network-security gateway-security-policies import policy1 \ --source=policy.yaml \ --location=
Create Secure Web Proxy rules
In the Google Cloud console, go to the Secure Web Proxy page.
Click the Policies tab.
Click the name of your policy.
Click Add rule.
Populate the rule fields:
- Name
- Description
- Status
- Priority: the numeric evaluation order of the rule. The rules are
evaluated from highest to lowest priority where
is the highest priority. - In the Action section, specify whether connections that match the rule are allowed (Allow) or denied (Deny).
- In the Session Match section, specify the criteria for
matching the session. For more information about the syntax for
, see the CEL matcher language reference. - To enable TLS inspection, select Enable TLS inspection.
- In the Application Match section, specify the criteria for matching the request. If you do not enable the rule for TLS inspection, then the request can only match HTTP traffic.
- Click Create.
Click Add rule to add another rule.
Click Create to create the policy.
Depending on whether you want TLS encryption, use any of the following methods to create a rule:
Create a rule with the TLS inspection configuration.
To enable TLS inspection, create the file
:name: projects/
PROJECT_ID /locations/REGION /gatewaySecurityPolicies/policy1/rules/allow-wikipedia-org description: Allow wikipedia enabled: true priority: 1 basicProfile: ALLOW sessionMatcher: host() == '' applicationMatcher: request.path.contains('index.html') tlsInspectionEnabled: trueCreate a rule without the TLS inspection configuration.
If you do not want to enable TLS inspection, create the file
:name: projects/
PROJECT_ID /locations/REGION /gatewaySecurityPolicies/policy1/rules/allow-wikipedia-org description: Allow enabled: true priority: 1 basicProfile: ALLOW sessionMatcher: host() == ''
Create the security policy rule:
gcloud network-security gateway-security-policies rules import allow-wikipedia-org \ --source=rule.yaml \ --location=
REGION \ --gateway-security-policy=policy1
Set up a web proxy
In the Google Cloud console, go to the Secure Web Proxy page.
Click the Web proxies tab.
Click Set up a web proxy.
Enter a name for the web proxy that you want to create, such as
.Enter a description of the web proxy, such as
My new swp
.In the Regions list, select the region where you want to create the web proxy.
In the Network list, select the network where you want to create the web proxy.
In the Subnetwork list, select the subnetwork where you want to create the web proxy.
Enter the web proxy IP address.
In the Certificate list, select the certificate that you want to use to create the web proxy.
In the Policy list, select the policy that you created to associate the web proxy with.
Click Create.
Create the file
:name: projects/
PROJECT_ID /locations/REGION /gateways/swp1 type: SECURE_WEB_GATEWAY addresses: [""] ports: [443] certificateUrls: ["projects/PROJECT_ID /locations/REGION /certificates/cert1"] gatewaySecurityPolicy: projects/PROJECT_ID /locations/REGION /gatewaySecurityPolicies/policy1 network: projects/PROJECT_ID /global/networks/default subnetwork: projects/PROJECT_ID /regions/REGION /subnetworks/defaultCreate a Secure Web Proxy instance:
gcloud network-services gateways import swp1 \ --source=gateway.yaml \ --location=
REGION A Secure Web Proxy instance can take several minutes to deploy.
Test connectivity
Connect to the VM that you previously provisioned:
gcloud compute ssh swp-test-vm \ --zone=
ZONE Test the Secure Web Proxy instance:
curl -x
If you configured the Secure Web Proxy instance for TLS inspection, use the following command:
curl -x
Clean up
To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.
Delete the Secure Web Proxy instance swp1
In the Google Cloud console, go to the Secure Web Proxy page. You can view a list of all the web proxies or just those in a particular network.
Select the web proxy that you want to delete.
Click Delete.
Click Delete again to confirm.
gcloud network-services gateways delete swp1 \
Delete the rule allow-wikipedia-org
In the Google Cloud console, go to the Secure Web Proxy page. You can view a list of all the web proxies or just those in a particular network.
Click the Policies tab.
Click your policy.
Select the rule that you want to delete.
Click Delete.
Click Delete again to confirm.
gcloud network-security gateway-security-policies rules delete allow-wikipedia-org \
--location=REGION \
Delete the Secure Web Proxy policy policy1
In the Google Cloud console, go to the Secure Web Proxy page. You can view a list of all the web proxies or just those in a particular network.
Click the Policies tab.
Select the policy that you want to delete.
Click Delete.
Click Delete again to confirm.
gcloud network-security gateway-security-policies delete policy1 \
Delete the Linux VM instance swp-test-vm
In the Google Cloud console, go to the VM instances page.
Select the instances that you want to delete.
Click Delete.
gcloud compute instances delete swp-test-vm