Deploy a Secure Web Proxy instance
This quickstart guide explains how to deploy and test a Secure Web Proxy instance.
The steps describe deploying Secure Web Proxy in explicit routing mode, functioning as an explicit proxy. Secure Web Proxy instances in explicit routing mode can be published as a Private Service Connect service.
Alternatively, you can deploy Secure Web Proxy in next hop routing mode. For more information, see Deploy Secure Web Proxy as a next hop.
Before you begin
- Complete the initial setup steps. 
- Optional: Install the Google Cloud CLI in any one of the following development environments if you want to run the - gcloudcommand-line examples specified in this guide:- Cloud Shell- To use an online terminal with the gcloud CLI already set up, activate Cloud Shell: - At the end of this page, a Cloud Shell session starts and displays a command-line prompt. It can take a few seconds for the session to initialize. - If you installed the gcloud CLI previously, then make sure that you have the latest available version by running - gcloud components update.- Local shell- To use a local development environment, follow these steps: 
- Create or select a Google Cloud project. - If you don't plan to keep the resources that you create in this procedure, then create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project. - Console- In the Google Cloud console, on the project selector page, select or create a Google Cloud project. - Cloud Shell- Create a Google Cloud project: - gcloud projects create PROJECT_ID- Replace - PROJECT_IDwith the project ID that you want.
- Select the Google Cloud project that you created: - gcloud config set project PROJECT_ID
 
- Create a Linux virtual machine (VM) instance. - gcloud compute instances create swp-test-vm \ --subnet=default \ --zone=ZONE \ --image-project=debian-cloud \ --image-family=debian-11- Replace - ZONEwith the zone of your test VM instance.- Compute Engine grants the user who creates the VM with the Compute Instance Admin role ( - roles/compute.instanceAdmin). Compute Engine also adds that user to the sudo group.
- Create a firewall rule. - gcloud compute firewall-rules create default-allow-ssh \ --direction=INGRESS \ --priority=1000 \ --network=default \ --action=ALLOW \ --rules=tcp:22 \ --source-ranges=0.0.0.0/0
Create a Secure Web Proxy policy
Console
- In the Google Cloud console, go to the SWP Policies page. 
- Click Create a policy. 
- Enter a name for the policy that you want to create, such as - policy1.
- Enter a description of the policy, such as - My new swp policy.
- In the Regions list, select the region where you want to create the web proxy policy. 
- If you want to create rules for your policy, then click Add rule. For more information, see the Create Secure Web Proxy rules section. 
- Click Create. 
Cloud Shell
- Create the - policy.yamlfile.- description: basic Secure Web Proxy policy name: projects/PROJECT_ID/locations/REGION/gatewaySecurityPolicies/policy1- Replace the following: - PROJECT_ID: the project ID of your project
- REGION: the region of your policy
 
- Create the Secure Web Proxy policy. - gcloud network-security gateway-security-policies import policy1 \ --source=policy.yaml \ --location=REGION
Create Secure Web Proxy rules
Console
- In the Google Cloud console, go to the SWP Policies page. 
- Click the name of your policy. 
- Click Add rule. 
- Populate the following rule fields: - Name
- Description
- Status
- Priority: numeric evaluation order of the rule. The rules are
evaluated from highest to lowest priority, where 0is the highest priority.
- In the Action section, specify whether connections that match the rule are allowed (Allow) or denied (Deny).
- In the Session Match section, specify the criteria for
matching the session. For more information about the syntax for
SessionMatcher, see CEL matcher language reference.
- In the Application Match section, specify the criteria for matching the request. Because we haven't enabled the rule for TLS inspection, the request can match only HTTP traffic. - For information about matching TPC traffic, see Configure TCP proxy rules for your application. 
- Click Create. 
 
- Click Add rule to add another rule. 
Cloud Shell
- Create the - rule.yamlfile as shown here. For more information about the syntax for- SessionMatcher, see CEL matcher language reference.- name: projects/PROJECT_ID/locations/REGION/gatewaySecurityPolicies/policy1/rules/allow-wikipedia-org description: Allow wikipedia.org enabled: true priority: 1 basicProfile: ALLOW sessionMatcher: host() == 'www.wikipedia.org'
- Create the security policy rule. - gcloud network-security gateway-security-policies rules import allow-wikipedia-org \ --source=rule.yaml \ --location=REGION \ --gateway-security-policy=policy1
Set up a web proxy
This section explains how to deploy Secure Web Proxy in explicit routing mode, functioning as an explicit proxy.
Console
- In the Google Cloud console, go to the Web Proxies page. 
- Click Create a secure web proxy. 
- Enter a name for the web proxy that you want to create, such as - myswp.
- Enter a description of the web proxy, such as - My new swp.
- For Routing mode, select the Explicit option. 
- In the Regions list, select the region where you want to create the web proxy. 
- In the Network list, select the network where you want to create the web proxy. 
- In the Subnetwork list, select the subnetwork where you want to create the web proxy. - Important: You must use the VPC subnet that you previously created as part of the initial setup steps. 
- Optional: Enter the Secure Web Proxy IP address. You can enter an IP address from the range of Secure Web Proxy IP addresses that reside in the subnetwork you created in the previous step. If you don't enter the IP address, then your Secure Web Proxy instance automatically chooses an IP address from the selected subnetwork. 
- In the Certificate list, select the certificate that you want to use to create the web proxy. 
- In the Policy list, select the policy that you created to associate the web proxy with. 
- Click Create. 
Cloud Shell
- Create the - gateway.yamlfile.- name: projects/PROJECT_ID/locations/REGION/gateways/swp1 type: SECURE_WEB_GATEWAY addresses: ["IP_ADDRESS"] ports: [443] gatewaySecurityPolicy: projects/PROJECT_ID/locations/REGION/gatewaySecurityPolicies/policy1 network: projects/PROJECT_ID/global/networks/NETWORK subnetwork: projects/PROJECT_ID/regions/REGION/subnetworks/SUBNETWORK routingMode: EXPLICIT_ROUTING_MODE- Replace the following: - PROJECT_ID: the project ID of your project
- REGION: the region of your Secure Web Proxy instance
- IP_ADDRESS: the IP address of your Secure Web Proxy instance
- NETWORK: the network of your Secure Web Proxy instance
- SUBNETWORK: the subnetwork of your Secure Web Proxy instance. You must use the VPC subnet that you previously created as part of the initial setup steps.
 
- Create a Secure Web Proxy instance based on - gateway.yaml.- gcloud network-services gateways import swp1 \ --source=gateway.yaml \ --location=REGION- A Secure Web Proxy instance can take several minutes to deploy. 
Test connectivity
- Connect to the VM that you previously provisioned. - gcloud compute ssh swp-test-vm \ --zone=ZONE- Replace - ZONEwith the zone of your test VM instance.
- Test the Secure Web Proxy instance. - curl -s -o /dev/null -w "%{http_code}\\n" -x IP_ADDRESS:443 https://www.wikipedia.org- Replace - IP_ADDRESSwith the IP address of your Secure Web Proxy instance. This command prints the HTTP status code returned from www.wikipedia.org. If the command is successful, then the status code is- 200. However, if there's an issue with the proxy, then the command will return a- 000status code to indicate a connection error. To view the detailed error messages, add the- -voption to the command.
We haven't configured TLS inspection in the example mentioned on this page. For more information about how to configure Secure Web Proxy for TLS inspection and then test your Secure Web Proxy instance, see Enable TLS inspection.
Clean up
To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.
Delete the swp1 Secure Web Proxy instance
Console
- In the Google Cloud console, go to the Web Proxies page. You can view the list of all web proxies or just the web proxies that are available in a particular network. 
- Select the web proxy that you want to delete. 
- Click Delete. 
- Click Delete again to confirm. 
Cloud Shell
gcloud network-services gateways delete swp1 \
    --location=REGION
Replace REGION with the region of your Secure Web Proxy
instance.
Delete the allow-wikipedia-org rule
Console
- In the Google Cloud console, go to the Web Proxies page. You can view the list of all web proxies or just the web proxies that are available in a particular network. 
- Click your policy. 
- Select the rule that you want to delete. 
- Click Delete. 
- Click Delete again to confirm. 
Cloud Shell
gcloud network-security gateway-security-policies rules delete allow-wikipedia-org \
    --location=REGION \
    --gateway-security-policy=policy1
Replace REGION with the region of your policy.
Delete the policy1 Secure Web Proxy policy
Console
- In the Google Cloud console, go to the Web Proxies page. You can view the list of all web proxies or just the web proxies that are available in a particular network. 
- Select the policy that you want to delete. 
- Click Delete. 
- Click Delete again to confirm. 
Cloud Shell
gcloud network-security gateway-security-policies delete policy1 \
    --location=REGION
Replace REGION with the region of your policy.
Delete the swp-test-vm Linux VM instance
Console
- In the Google Cloud console, go to the VM instances page. 
- Select the instances that you want to delete. 
- Click Delete. 
Cloud Shell
gcloud compute instances delete swp-test-vm