Use a URL list to create policies

This guide shows how to use URL lists to define URLs that your users can access.

Before you begin

  • Complete the initial setup steps.

  • Verify that you have the Google Cloud CLI version 406.0.0 or later installed:

    gcloud version | head -n1

    If you have an earlier gcloud CLI version installed, update the version:

    gcloud components update --version=406.0.0

Create a Secure Web Proxy instance with an empty policy

To create a Secure Web Proxy instance, first create an empty security policy and then create a web proxy.

Create an empty security policy

Console

  1. In the Google Cloud console, go to the Network Security page.

    Go to Network Security

  2. Click Secure Web Proxy.

  3. Click the Policies tab.

  4. Click Create a policy.

  5. Enter a name for the policy that you want to create, such as myswppolicy.

  6. Enter a description of the policy, such as My new swp policy.

  7. In the Regions list, select the region where you want to create the policy.

  8. Click Create.

Cloud Shell

  1. Use your preferred text editor to create the file POLICY_FILE.yaml. Replace POLICY_FILE with the filename that you want for the policy file.

  2. Add the following to the YAML file that you created:

    name: projects/PROJECT_NAME/locations/REGION/gatewaySecurityPolicies/POLICY_NAME
description: POLICY_DESCRIPTION

    Replace the following:

    • PROJECT_NAME: the name of your project
    • REGION: the region that this policy applies to
    • POLICY_NAME: the name of the policy that you're creating
    • POLICY_DESCRIPTION: the description of the policy that you're creating

  3. Import the security policy:

    gcloud network-security gateway-security-policies import POLICY_NAME \
    --source=POLICY_FILE.yaml \
    --location=REGION

Create a web proxy

Console

  1. In the Google Cloud console, go to the Network Security page.

    Go to Network Security

  2. Click Secure Web Proxy.

  3. Click Set up a web proxy.

  4. Enter a name for the web proxy that you want to create, such as myswp.

  5. Enter a description of the web proxy, such as My new swp.

  6. In the Regions list, select the region where you want to create the web proxy.

  7. In the Network list, select the network where you want to create the web proxy.

  8. In the Subnetwork list, select the subnetwork where you want to create the web proxy.

  9. Enter the web proxy IP address.

  10. In the Certificate list, select the certificate that you want to use to create the web proxy.

  11. In the Policy list, select the policy that you created to associate the web proxy with.

  12. Click Create.

Cloud Shell

  1. Use your preferred text editor to create the file GATEWAY_FILE.yaml. Replace GATEWAY_FILE with the filename that you want for the web proxy file.

  2. Add the following to the YAML file that you created:

    name: projects/PROJECT_NAME/locations/REGION/gateways/GATEWAY_NAME
type: SECURE_WEB_GATEWAY
ports: [GATEWAY_PORT_NUMBERS]
certificateUrls: [CERTIFICATE_URLS]
gatewaySecurityPolicy: projects/PROJECT_NAME/locations/REGION/gatewaySecurityPolicies/POLICY_NAME
network: projects/PROJECT_NAME/global/networks/NETWORK_NAME
subnetwork: projects/PROJECT_NAME/regions/REGION/subnetworks/SUBNET_NAME
addresses: [GATEWAY_IP_ADDRESS]
scope: samplescope

    Replace the following:

    • GATEWAY_NAME: the name for this instance
    • GATEWAY_PORT_NUMBERS: a list of port numbers for this gateway, such as [80,443]
    • CERTIFICATE_URLS: a list of SSL certificate URLs

    • SUBNET_NAME: the name of the subnet that contains GATEWAY_IP_ADDRESS

    • GATEWAY_IP_ADDRESS: an optional list of IP addresses for your Secure Web Proxy instances within the proxy subnets previously created in the initial setup steps

      If you choose not to list IP addresses, omit the field to have the web proxy choose an IP address for you.

  3. Create a Secure Web Proxy instance:

    gcloud network-services gateways import GATEWAY_NAME \
    --source=GATEWAY_FILE.yaml \
    --location=REGION

Test connectivity

To test connectivity, use the curl command from any VM within your Virtual Private Cloud (VPC) network:

  curl -x https://GATEWAY_IP_ADDRESS:PORT_NUMBER https://www.example.com --proxy-insecure

A 403 Forbidden error is expected.

Create a URL list

To create a URL list and add a rule, complete the tasks in the following sections.

Create and configure a URL list

Console

  1. In the Google Cloud console, go to the Network Security page.

    Go to Network Security

  2. Click Secure Web Proxy.

  3. Click the URL lists tab.

  4. Click Create a URL list.

  5. Enter a name for the URL list that you want to create, such as myurllist.

  6. Enter a description of the URL list, such as My new URL list.

  7. In the Regions list, select the region where you want to create the URL list.

  8. Click Upload lists to upload the list of hosts, URLs, or patterns to match. For more information, see the UrlList syntax reference.

  9. Click Create.

Cloud Shell

  1. Use your preferred text editor to create the file URL_LIST_FILE.yaml. ReplaceURL_LIST_FILE` with your desired filename.

      name: projects/PROJECT_ID/locations/REGION/urlLists/URL_LIST_NAME
  values: URL_LIST

    Replace the following:

    • PROJECT_ID: your project number
    • REGION: the region this URL list applies to
    • URL_LIST_NAME: a name for the URL list that you're creating
    • URL_LIST: the list of hosts, URLs, or patterns to match

    For more information, see UrlList syntax reference.

    The following is an example URL list rule file:

    name: projects/PROJECT_ID/locations/REGION/urlLists/example-org-allowed-list
values:
  - www.example.com
  - about.example.com
  - "*.google.com"
  - "github.com/example-org/*"

    The asterisk (*) character has a special meaning in YAML. Therefore, you must add quotation marks around URLs that include an * character.

  2. Add the URL list so that it can be referenced by a Secure Web Proxy rule:

    gcloud network-security url-lists import URL_LIST_NAME \
    --location=REGION \
    --project=PROJECT_ID \
    --source=URL_LIST_FILE.yaml

Add a rule

Console

  1. In the Google Cloud console, go to the Network Security page.

    Go to Network Security

  2. Click Secure Web Proxy.

  3. In the project selector menu, select your organization ID or the folder that contains your policy.

  4. Click the name of your policy.

  5. Click Add rule.

  6. Populate the rule fields:

    1. Name
    2. Description
    3. Status
    4. Priority: the numeric evaluation order of the rule. The rules are evaluated from highest to lowest priority where 0 is the highest priority.
    5. In the Action section, specify whether connections that match the rule are allowed (Allow) or denied (Deny).

    6. In the Session Match section, specify the name of the URL list that you created previously. For example:

        sessionMatcher: "inUrlList(host(), 'projects/PROJECT_ID/locations/REGION/urlLists/URL_LIST_NAME')"

    7. To enable TLS inspection, select Enable TLS inspection.

    8. In the Application Match section, specify the criteria for matching the request.

    9. Click Create.

  7. Click Add rule to add another rule.

  8. Click Create to create the policy.

Cloud Shell

  1. Use your preferred text editor to create the file RULE_FILE.yaml. Replace RULE_FILE with your desired filename.

    name: projects/PROJECT_ID/locations/REGION/gatewaySecurityPolicies/POLICY_NAME/rules/RULE_NAME
basicProfile: ALLOW
enabled: true
priority: PRIORITY_VALUE
description: RULE_DESCRIPTION
sessionMatcher: SESSION_CEL_EXPRESSION
applicationMatcher: APPLICATION_CEL_EXPRESSION

    Replace the following:

    • PROJECT_ID: your project number
    • REGION: the region this rule applies to
    • POLICY_NAME: the name of an existing GatewaySecurityPolicy used by your Secure Web Proxy instance
    • RULE_NAME: a name for the GatewaySecurityPolicyRule that you're creating
    • PRIORITY_VALUE: a priority value for this rule; lower numbers correspond to higher priorities
    • RULE_DESCRIPTION: a description for the policy that you're creating
    • SESSION_CEL_EXPRESSION: a Common Expression Language (CEL) expression for the session
    • APPLICATION_CEL_EXPRESSION: a CEL expression for the application

    The following is an example rule file:

    name: projects/PROJECT_ID/locations/REGION/urlLists/allow-repos
basicProfile: ALLOW
enabled: true
priority: 100
description: Allow access to our list of known code repos.
sessionMatcher: "inUrlList(host(), 'projects/PROJECT_ID/locations/REGION/urlLists/URL_LIST_NAME')"

  2. Add a Secure Web Proxy rule by using the URL list that you previously created:

        gcloud network-security gateway-security-policies rules import RULE_NAME \
      --location=REGION \
      --project=PROJECT_ID \
      --source=RULE_FILE.yaml \
      --gateway-security-policy=POLICY_NAME

Test connectivity

To test connectivity, use the following curl command:

curl -x https://SWP_IP_ADDRESS:SWP_PORT_NUMBER HTTP_TEST_ADDRESS
--proxy-insecure

Replace the following:

  • SWP_IP_ADDRESS: the IP address to your web proxy

  • SWP_PORT_NUMBER: the port number for your web proxy, such as 443

  • HTTP_TEST_ADDRESS: an address to test, such as https://www.example.com, that matches a host or URL entry in your URL_LIST

The request should return a successful response.

What's next