Deploy a Secure Web Proxy instance
This quickstart guide explains how to deploy and test a Secure Web Proxy instance.
Before you begin
Complete the initial setup steps.
Optional: Install the Google Cloud CLI in any one of the following development environments if you want to run the
gcloudcommand-line examples specified in this guide:Cloud Shell
To use an online terminal with the gcloud CLI already set up, activate Cloud Shell:
At the end of this page, a Cloud Shell session starts and displays a command-line prompt. It can take a few seconds for the session to initialize.
Local shell
To use a local development environment, follow these steps:
Create or select a Google Cloud project.
Console
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Cloud Shell
Create a Google Cloud project:
gcloud projects create PROJECT_IDReplace
PROJECT_IDwith the project ID that you want.Select the Google Cloud project that you created:
gcloud config set project PROJECT_ID
Create a Linux virtual machine (VM) instance.
gcloud compute instances create swp-test-vm \ --subnet=default \ --zone=ZONE \ --image-project=debian-cloud \ --image-family=debian-11Compute Engine grants the user who creates the VM with the Compute Instance Admin role (
roles/compute.instanceAdmin). Compute Engine also adds that user to the sudo group.Create a firewall rule.
gcloud compute firewall-rules create default-allow-ssh \ --direction=INGRESS \ --priority=1000 \ --network=default \ --action=ALLOW \ --rules=tcp:22 \ --source-ranges=0.0.0.0/0
Create a Secure Web Proxy policy
Console
In the Google Cloud console, go to the Secure Web Proxy page.
Click the Policies tab.
Click Create a policy.
Enter a name for the policy that you want to create, such as
myswppolicy.Enter a description of the policy, such as
My new swp policy.In the Regions list, select the region where you want to create the web proxy policy.
If you want to create rules for your policy, then click Add rule. For more information, see the Create Secure Web Proxy rules section.
Click Create.
Cloud Shell
Create the
policy.yamlfile.description: basic Secure Web Proxy policy name: projects/PROJECT_ID/locations/REGION/gatewaySecurityPolicies/policy1Create the Secure Web Proxy policy.
gcloud network-security gateway-security-policies import policy1 \ --source=policy.yaml \ --location=REGION
Create Secure Web Proxy rules
Console
In the Google Cloud console, go to the Secure Web Proxy page.
Click the Policies tab.
Click the name of your policy.
Click Add rule.
Populate the following rule fields:
- Name
- Description
- Status
- Priority: numeric evaluation order of the rule. The rules are
evaluated from highest to lowest priority, where
0is the highest priority. - In the Action section, specify whether connections that match the rule are allowed (Allow) or denied (Deny).
- In the Session Match section, specify the criteria for
matching the session. For more information about the syntax for
SessionMatcher, see CEL matcher language reference. - Optional: If you want to enable TLS inspection, then select Enable TLS inspection.
- In the Application Match section, specify the criteria for matching the request. If you don't enable the rule for TLS inspection, then the request can only match HTTP traffic.
- Click Create.
Click Add rule to add another rule.
Cloud Shell
Create the
rule.yamlfile as shown here.```yaml name: projects/PROJECT_ID/locations/REGION/gatewaySecurityPolicies/policy1/rules/allow-wikipedia-org description: Allow wikipedia.org enabled: true priority: 1 basicProfile: ALLOW sessionMatcher: host() == 'wikipedia.org' ```Optional: Alternatively, if you want to create a rule with the TLS inspection configuration, then create the
rule.yamlfile as shown here.```yaml name: projects/PROJECT_ID/locations/REGION/gatewaySecurityPolicies/policy1/rules/allow-wikipedia-org description: Allow wikipedia.org enabled: true priority: 1 basicProfile: ALLOW sessionMatcher: host() == 'wikipedia.org' applicationMatcher: request.path.contains('index.html') tlsInspectionEnabled: true
Create the security policy rule.
gcloud network-security gateway-security-policies rules import allow-wikipedia-org \ --source=rule.yaml \ --location=REGION \ --gateway-security-policy=policy1
Set up a web proxy
This section explains how to deploy Secure Web Proxy as an explicit proxy.
Alternatively, you can deploy Secure Web Proxy either as a Private Service Connect service attachment or as a next hop.
Console
In the Google Cloud console, go to the Secure Web Proxy page.
Click the Web proxies tab.
Click Create a secure web proxy.
Enter a name for the web proxy that you want to create, such as
myswp.Enter a description of the web proxy, such as
My new swp.For Routing mode, select the Explicit option.
In the Regions list, select the region where you want to create the web proxy.
In the Network list, select the network where you want to create the web proxy.
In the Subnetwork list, select the subnetwork where you want to create the web proxy.
Enter the web proxy IP address.
In the Certificate list, select the certificate that you want to use to create the web proxy.
In the Policy list, select the policy that you created to associate the web proxy with.
Click Create.
Cloud Shell
Create the
gateway.yamlfile.name: projects/PROJECT_ID/locations/REGION/gateways/swp1 type: SECURE_WEB_GATEWAY addresses: ["IP_ADDRESS"] ports: [443] gatewaySecurityPolicy: projects/PROJECT_ID/locations/REGION/gatewaySecurityPolicies/policy1 network: projects/PROJECT_ID/global/networks/NETWORK subnetwork: projects/PROJECT_ID/regions/REGION/subnetworks/SUBNETWORK routingMode: EXPLICIT_ROUTING_MODECreate a Secure Web Proxy instance.
gcloud network-services gateways import swp1 \ --source=gateway.yaml \ --location=REGIONA Secure Web Proxy instance can take several minutes to deploy.
Test connectivity
Connect to the VM that you previously provisioned.
gcloud compute ssh swp-test-vm \ --zone=ZONETest the Secure Web Proxy instance.
curl -x IP_ADDRESS
Clean up
To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.
Delete the swp1 Secure Web Proxy instance
Console
In the Google Cloud console, go to the Secure Web Proxy page. You can view the list of all web proxies or just the web proxies that are available in a particular network.
Select the web proxy that you want to delete.
Click Delete.
Click Delete again to confirm.
Cloud Shell
gcloud network-services gateways delete swp1 \
--location=REGION
Delete the allow-wikipedia-org rule
Console
In the Google Cloud console, go to the Secure Web Proxy page. You can view the list of all web proxies or just the web proxies that are available in a particular network.
Click the Policies tab.
Click your policy.
Select the rule that you want to delete.
Click Delete.
Click Delete again to confirm.
Cloud Shell
gcloud network-security gateway-security-policies rules delete allow-wikipedia-org \
--location=REGION \
--gateway-security-policy=policy1
Delete the policy1 Secure Web Proxy policy
Console
In the Google Cloud console, go to the Secure Web Proxy page. You can view a list of all the web proxies or just those in a particular network.
Click the Policies tab.
Select the policy that you want to delete.
Click Delete.
Click Delete again to confirm.
Cloud Shell
gcloud network-security gateway-security-policies delete policy1 \
--location=REGION
Delete the swp-test-vm Linux VM instance
Console
In the Google Cloud console, go to the VM instances page.
Select the instances that you want to delete.
Click Delete.
Cloud Shell
gcloud compute instances delete swp-test-vm