Secure Web Proxy policies are based on the following two parameters:
- Traffic source: to identify the traffic source, Secure Web Proxy uses attributes such as service accounts, secure tags, and IP addresses.
- Allowed destination: to determine the allowed destinations, Secure Web Proxy uses either a destination domain, a full URL path (if TLS inspection is enabled), URL lists, or the destination port.
By default, Secure Web Proxy is set in a manner to deny any egress traffic through the proxy unless you include a specific rule in the policy.
Source attributes for policies
Use the following attributes to let your Secure Web Proxy instance identify the source of the traffic:
- Service accounts: use service accounts to identify the traffic source and configure Secure Web Proxy policies.
- Secure tags: use Resource Manager tags to control the access to your Google Cloud resources.
- IP addresses: assign your enterprise IP addresses (or static Google Cloud IP addresses) that Secure Web Proxy uses for egress traffic.
Supported identities
You can use source identity-based security policies (service accounts and secure tags) to secure web traffic for several Google Cloud services. The following table shows whether various Google Cloud services are supported when using source identity-based security policies.
| Google Cloud services | Service account support | Secure tag support |
|---|---|---|
| VM | ||
| GKE node | ||
| GKE container | 1 | 1 |
| Direct VPC for Cloud Run | 1 | |
| Serverless VPC Access connector | 2 | 2 |
| Cloud VPN | 1 | 1 |
| Cloud Interconnect on premises | 1 | 1 |
| Application Load Balancer | ||
| Network Load Balancer |
2 Source IP address is unique and can be used instead.
The following table shows whether various Virtual Private Cloud (VPC) architectures are supported when using source identity-based security policies.
| VPC | VPC architecture | Support |
|---|---|---|
| Within VPC | Cross project (Shared VPC) | |
| Within VPC | Cross region | |
| Cross VPC | Cross peering link (peer VPC) | |
| Cross VPC | Cross Private Service Connect | |
| Cross VPC | Cross Network Connectivity Center spokes |
Destination attributes for policies
With Secure Web Proxy, you can configure policies for your application based on destination domains and full URL paths (if TLS inspection is enabled).
Use the following attributes to let your Secure Web Proxy instance determine the allowed traffic destination:
- Destination port: upstream port to which your Secure Web Proxy instance sends traffic.
- URL lists: use URL lists to define URLs that your users can access.
For HTTP-based destination traffic, you can use the host() destination
attribute for your application.
And for HTTPS-based destination traffic, you can use various request.*
destination-related attributes (such as request.method) for your application.
For more information about the destination attributes that you can use for HTTP and HTTPS traffic, see Attributes.