Deploy a Secure Web Proxy instance

Note: This page describes deploying Secure Web Proxy as an explicit proxy. Alternatively, you can deploy Secure Web Proxy as a Private Service Connect service attachment or as a next hop.

This quickstart shows you how to deploy and test a Secure Web Proxy instance.

Before you begin

  1. Complete initial setup steps.

  2. To run the commands on this page, set up the Google Cloud CLI in one of the following development environments:

    Cloud Shell

    To use an online terminal with the gcloud CLI already set up, activate Cloud Shell:

    At the end of this page, a Cloud Shell session starts and displays a command-line prompt. It can take a few seconds for the session to initialize.

    Local shell

    To use a local development environment, follow these steps:

    1. Install the gcloud CLI.
    2. Initialize the gcloud CLI.

  3. Create or select a Google Cloud project.

    Console

    In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

    Cloud Shell

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

      Replace PROJECT_ID with the project ID that you want.

    • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

  4. Create a Linux virtual machine (VM) instance:

    gcloud compute instances create swp-test-vm \
    --subnet=default \
    --zone=ZONE \
    --image-project=debian-cloud \
    --image-family=debian-11

    Compute Engine grants the user who creates the VM with the Compute Instance Admin role (roles/compute.instanceAdmin). Compute Engine also adds that user to the sudo group.

  5. Create a firewall rule:

    gcloud compute firewall-rules create default-allow-ssh \
    --direction=INGRESS \
    --priority=1000 \
    --network=default \
    --action=ALLOW \
    --rules=tcp:22 \
    --source-ranges=0.0.0.0/0

Create a Secure Web Proxy policy

Console

  1. In the Google Cloud console, go to the Network Security page.

    Go to Network Security

  2. Click Secure Web Proxy.

  3. Click the Policies tab.

  4. Click Create a policy.

  5. Enter a name for the policy that you want to create, such as myswppolicy.

  6. Enter a description of the policy, such as My new swp policy.

  7. In the Regions list, select the region where you want to create the web proxy policy.

  8. If you want to configure TLS inspection for the web proxy, select Configure TLS inspection.

  9. In the TLS inspection policy list, select the TLS inspection policy that you created. The TLS inspection policy appears in the list only if you created it.

  10. If you want to create rules for your policy, click Continue, and then click Add rule. For details, see Create Secure Web Proxy rules.

  11. Click Create.

Cloud Shell

  1. Some web proxy policies require that traffic be TLS encrypted for evaluation. Depending on whether you want TLS encryption, use any of the following methods to create a policy:

    • Create a policy with the TLS inspection configuration.

      To enable TLS inspection, perform the procedure described in Enable TLS inspection and then create the file policy.yaml:

      description: basic Secure Web Proxy policy
name: projects/PROJECT_ID/locations/REGION/gatewaySecurityPolicies/policy1
tlsInspectionPolicy: projects/PROJECT_ID/locations/REGION/tlsInspectionPolicies/TLS_INSPECTION_NAME

    • Create a policy without the TLS inspection configuration.

      If you do not want to enable TLS inspection, create the file policy.yaml:

      description: basic Secure Web Proxy policy
name: projects/PROJECT_ID/locations/REGION/gatewaySecurityPolicies/policy1

  2. Create the Secure Web Proxy policy:

    gcloud network-security gateway-security-policies import policy1 \
    --source=policy.yaml \
    --location=REGION

Create Secure Web Proxy rules

Console

  1. In the Google Cloud console, go to the Network Security page.

    Go to Network Security

  2. Click Secure Web Proxy.

  3. Click the Policies tab.

  4. Click the name of your policy.

  5. Click Add rule.

  6. Populate the rule fields:

    1. Name
    2. Description
    3. Status
    4. Priority: the numeric evaluation order of the rule. The rules are evaluated from highest to lowest priority where 0 is the highest priority.
    5. In the Action section, specify whether connections that match the rule are allowed (Allow) or denied (Deny).
    6. In the Session Match section, specify the criteria for matching the session. For more information about the syntax for SessionMatcher, see the CEL matcher language reference.
    7. To enable TLS inspection, select Enable TLS inspection.
    8. In the Application Match section, specify the criteria for matching the request. If you do not enable the rule for TLS inspection, then the request can only match HTTP traffic.
    9. Click Create.

  7. Click Add rule to add another rule.

  8. Click Create to create the policy.

Cloud Shell

  1. Depending on whether you want TLS encryption, use any of the following methods to create a rule:

    • Create a rule with the TLS inspection configuration.

      To enable TLS inspection, create the file rule.yaml:

      name: projects/PROJECT_ID/locations/REGION/gatewaySecurityPolicies/policy1/rules/allow-wikipedia-org
description: Allow wikipedia
enabled: true
priority: 1
basicProfile: ALLOW
sessionMatcher: host() == 'wikipedia.org'
applicationMatcher: request.path.contains('index.html')
tlsInspectionEnabled: true

    • Create a rule without the TLS inspection configuration.

      If you do not want to enable TLS inspection, create the file rule.yaml:

      name: projects/PROJECT_ID/locations/REGION/gatewaySecurityPolicies/policy1/rules/allow-wikipedia-org
description: Allow wikipedia.org
enabled: true
priority: 1
basicProfile: ALLOW
sessionMatcher: host() == 'wikipedia.org'

  2. Create the security policy rule:

    gcloud network-security gateway-security-policies rules import allow-wikipedia-org \
    --source=rule.yaml \
    --location=REGION \
    --gateway-security-policy=policy1

Set up a web proxy

Console

  1. In the Google Cloud console, go to the Network Security page.

    Go to Network Security

  2. Click Secure Web Proxy.

  3. Click the Web proxies tab.

  4. Click Set up a web proxy.

  5. Enter a name for the web proxy that you want to create, such as myswp.

  6. Enter a description of the web proxy, such as My new swp.

  7. In the Regions list, select the region where you want to create the web proxy.

  8. In the Network list, select the network where you want to create the web proxy.

  9. In the Subnetwork list, select the subnetwork where you want to create the web proxy.

  10. Enter the web proxy IP address.

  11. In the Certificate list, select the certificate that you want to use to create the web proxy.

  12. In the Policy list, select the policy that you created to associate the web proxy with.

  13. Click Create.

Cloud Shell

  1. Create the file gateway.yaml:

    name: projects/PROJECT_ID/locations/REGION/gateways/swp1
type: SECURE_WEB_GATEWAY
addresses: ["10.128.0.99"]
ports: [443]
certificateUrls: ["projects/PROJECT_ID/locations/REGION/certificates/cert1"]
gatewaySecurityPolicy: projects/PROJECT_ID/locations/REGION/gatewaySecurityPolicies/policy1
network: projects/PROJECT_ID/global/networks/default
subnetwork: projects/PROJECT_ID/regions/REGION/subnetworks/default
scope: samplescope

  2. Create a Secure Web Proxy instance:

    gcloud network-services gateways import swp1 \
    --source=gateway.yaml \
    --location=REGION

    A Secure Web Proxy instance can take several minutes to deploy.

Test connectivity

  1. Connect to the VM that you previously provisioned:

    gcloud compute ssh swp-test-vm \
    --zone=ZONE

  2. Test the Secure Web Proxy instance:

    curl -x http://10.128.0.99:80 https://wikipedia.org

    If you configured the Secure Web Proxy instance for TLS inspection, use the following command:

    curl -x http://10.128.0.99:80 https://wikipedia.org/index.html

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.

Delete the Secure Web Proxy instance swp1

Console

  1. In the Google Cloud console, go to the Network Security page.

    Go to Network Security

  2. Click Secure Web Proxy. You can view a list of all the web proxies or just those in a particular network.

  3. Select the web proxy that you want to delete.

  4. Click Delete.

  5. Click Delete again to confirm.

Cloud Shell 

gcloud network-services gateways delete swp1 \
    --location=REGION

Delete the rule allow-wikipedia-org

Console

  1. In the Google Cloud console, go to the Network Security page.

    Go to Network Security

  2. Click Secure Web Proxy. You can view a list of all the web proxies or just those in a particular network.

  3. Click the Policies tab.

  4. Click your policy.

  5. Select the rule that you want to delete.

  6. Click Delete.

  7. Click Delete again to confirm.

Cloud Shell 

gcloud network-security gateway-security-policies rules delete allow-wikipedia-org \
    --location=REGION \
    --gateway-security-policy=policy1

Delete the Secure Web Proxy policy policy1

Console

  1. In the Google Cloud console, go to the Network Security page.

    Go to Network Security

  2. Click Secure Web Proxy. You can view a list of all the web proxies or just those in a particular network.

  3. Click the Policies tab.

  4. Select the policy that you want to delete.

  5. Click Delete.

  6. Click Delete again to confirm.

Cloud Shell 

gcloud network-security gateway-security-policies delete policy1 \
    --location=REGION

Delete the Linux VM instance swp-test-vm

Console

  1. In the Google Cloud console, go to the VM instances page.

    Go to VM instances

  2. Select the instances that you want to delete.

  3. Click Delete.

Cloud Shell 

gcloud compute instances delete swp-test-vm

What's next