Secure Web Proxy overview

Secure Web Proxy is a cloud first service that helps you secure egress web traffic (HTTP/S). You configure your clients to explicitly use Secure Web Proxy as a gateway. The web requests can originate from the following sources:

  • Virtual machine (VM) instances
  • Containers
  • A serverless environment that uses a serverless connector
  • Workloads outside of Google Cloud connected by Cloud VPN or Cloud Interconnect

Secure Web Proxy enables flexible and granular policies based on cloud first identities and web applications.

Solutions that Secure Web Proxy supports

Secure Web Proxy supports the following solutions.

Migration to Google Cloud

Secure Web Proxy helps you migrate to Google Cloud while keeping your existing security policies and requirements for egress web traffic. You can avoid using third-party solutions that require using another management console or manually editing configuration files.

Access to trusted external web services

Secure Web Proxy lets you apply granular access policies to your egress web traffic so that you can secure your network. You create and identify workload or application identities, and then apply policies to web locations.

Monitored access to untrusted web services

You can use Secure Web Proxy to provide monitored access to untrusted web services. Secure Web Proxy identifies traffic that doesn't conform to policy and logs it to Cloud Logging (Logging). You can then monitor internet usage, discover threats to your network, and respond to threats.

Secure Web Proxy benefits

Secure Web Proxy provides the following benefits.

Operational time savings

Secure Web Proxy doesn't have VMs to set up and configure, doesn't require software updates to maintain security, and offers elastic scaling. After initial policy configuration, a regional Secure Web Proxy instance works out of the box. Secure Web Proxy provides tools to simplify setup, testing, and deployment so that you can focus on other tasks.

Flexible deployment

Secure Web Proxy supports simple and flexible deployments. Secure Web Proxy instances, Secure Web Proxy policies, and URL lists are all modular objects that can be created or reused by distinct administrators. For example, you can deploy multiple Secure Web Proxy instances that all use the same Secure Web Proxy policy.

Improved security

Default Secure Web Proxy configurations and policies are deny-all by default. Furthermore, Google Cloud automatically updates Secure Web Proxy software and infrastructure, reducing the risk of a security vulnerability.

Supported features

Secure Web Proxy supports the following features:

  • Explicit proxy service: Clients are explicitly configured to use the proxy server. The Secure Web Proxy proxy isolates clients from the internet by creating new TCP connections on the client's behalf.

  • Autoscaling Secure Web Proxy Envoy proxies: Supports automatically adjusting the Envoy proxy pool size and the pool's capacity in a region, which enables consistent performance during high-demand periods at the lowest cost.

  • Modular egress access policies: Secure Web Proxy specifically supports the following egress policies:

    • Source-identity based on secure tags, service accounts, or IP addresses.
    • Destinations based on URLs, hostnames.
    • Requests based on methods, headers, or URLs. URLs can be specified by using lists, wildcards, or patterns.
  • End-to-end encryption: Client-proxy tunnels might transit over TLS. Secure Web Proxy also supports HTTP/S CONNECT for client-initiated, end-to-end TLS connections to the destination server.

  • Cloud Audit Logs and Google Cloud Observability integration: Cloud Audit Logs and Google Cloud Observability record administrative activities and access requests for Secure Web Proxy-related resources. They also record metrics and transaction logs for requests handled by the proxy.

Additional Google Cloud tools to consider

Google Cloud provides the following tools for your Google Cloud deployments:

  • Use Google Cloud Armor to protect Google Cloud deployments from multiple threats, including distributed denial-of-service (DDoS) attacks and application attacks like cross-site scripting (XSS) and SQL injection (SQLi).

  • Specify VPC firewall rules to secure connections to or from your VM instances.

  • Implement VPC Service Controls to prevent data exfiltration from Google Cloud services, such as Cloud Storage and BigQuery.

  • Use Cloud NAT to enable unsecured outbound internet connectivity for certain Google Cloud resources without an external IP address.