Resource Manager tags control the access to your Google Cloud resources. Resource Manager tags let you organize your Google Cloud resources and conditionally allow or deny policies based on whether a resource has a specific tag. You can use Resource Manager tags to tag each virtual machine (VM) instance by segment and service type. Resource Manager tags let you uniquely identify hosts when creating Secure Web Proxy policies.
This guide shows you how to do the following:
- Create a Secure Web Proxy instance with an empty policy.
- Create and apply Resource Manager tags to VM instances.
- Use Resource Manager tags to create a Secure Web Proxy policy.
- Create a Secure Web Proxy instance.
- Test connectivity from your VMs.
Before you begin
Complete the initial setup steps.
Have an organization administrator grant you the necessary role to create and update tags.
Verify that you have the Google Cloud CLI version 406.0.0 or later installed:
gcloud version | head -n1
If you have an earlier gcloud CLI version installed, update the version:
gcloud components update --version=406.0.0
Create a Secure Web Proxy instance with an empty policy
To create a Secure Web Proxy instance, first create an empty security policy and then create a web proxy.
Create an empty security policy
Console
In the Google Cloud console, go to the Network Security page.
Click Secure Web Proxy.
Click the Policies tab.
Click Create a policy.
Enter a name for the policy that you want to create, such as
myswppolicy
.Enter a description of the policy, such as
My new swp policy
.In the Regions list, select the region where you want to create the policy.
Click Create.
Cloud Shell
Use your preferred text editor to create the file
POLICY_FILE
.yaml. ReplacePOLICY_FILE
with the filename that you want for the policy file.Add the following to the YAML file that you created:
name: projects/PROJECT_NAME/locations/REGION/gatewaySecurityPolicies/POLICY_NAME description: POLICY_DESCRIPTION
Replace the following:
PROJECT_NAME
: the name of your projectREGION
: the region that this policy applies toPOLICY_NAME
: the name of the policy that you're creatingPOLICY_DESCRIPTION
: the description of the policy that you're creating
Import the security policy:
gcloud network-security gateway-security-policies import POLICY_NAME \ --source=POLICY_FILE.yaml \ --location=REGION
Create a web proxy
Console
In the Google Cloud console, go to the Network Security page.
Click Secure Web Proxy.
Click Set up a web proxy.
Enter a name for the web proxy that you want to create, such as
myswp
.Enter a description of the web proxy, such as
My new swp
.In the Regions list, select the region where you want to create the web proxy.
In the Network list, select the network where you want to create the web proxy.
In the Subnetwork list, select the subnetwork where you want to create the web proxy.
Enter the web proxy IP address.
In the Certificate list, select the certificate that you want to use to create the web proxy.
In the Policy list, select the policy that you created to associate the web proxy with.
Click Create.
Cloud Shell
Use your preferred text editor to create the file
GATEWAY_FILE
.yaml. ReplaceGATEWAY_FILE
with the filename that you want for the web proxy file.Add the following to the YAML file that you created:
name: projects/PROJECT_NAME/locations/REGION/gateways/GATEWAY_NAME type: SECURE_WEB_GATEWAY ports: [GATEWAY_PORT_NUMBERS] certificateUrls: [CERTIFICATE_URLS] gatewaySecurityPolicy: projects/PROJECT_NAME/locations/REGION/gatewaySecurityPolicies/POLICY_NAME network: projects/PROJECT_NAME/global/networks/NETWORK_NAME subnetwork: projects/PROJECT_NAME/regions/REGION/subnetworks/SUBNET_NAME addresses: [GATEWAY_IP_ADDRESS] scope: samplescope
Replace the following:
GATEWAY_NAME
: the name for this instanceGATEWAY_PORT_NUMBERS
: a list of port numbers for this gateway, such as[80,443]
CERTIFICATE_URLS
: a list of SSL certificate URLsSUBNET_NAME
: the name of the subnet that containsGATEWAY_IP_ADDRESS
GATEWAY_IP_ADDRESS
: an optional list of IP addresses for your Secure Web Proxy instances within the proxy subnets previously created in the initial setup stepsIf you choose not to list IP addresses, omit the field to have the web proxy choose an IP address for you.
Create a Secure Web Proxy instance:
gcloud network-services gateways import GATEWAY_NAME \ --source=GATEWAY_FILE.yaml \ --location=REGION
Test connectivity
To test connectivity, use the curl
command from any VM within your
Virtual Private Cloud (VPC) network:
curl -x https://GATEWAY_IP_ADDRESS:PORT_NUMBER https://www.example.com --proxy-insecure
A 403 Forbidden
error is expected.
Create and attach Resource Manager tags
Do the following to create and attach Resource Manager tags:
Create the tag keys and values.
When you create your tag, designate it with a
GCE_FIREWALL
purpose. Google Cloud networking features, including Secure Web Proxy, require theGCE_FIREWALL
purpose to apply the tag. However, you can use the tag for other actions.
Create Secure Web Proxy rules
To create Secure Web Proxy rules, do the following:
Use your preferred text editor to create a
RULE_FILE
.yaml file. ReplaceRULE_FILE
with your chosen filename.To allow access to a URL from the chosen tag, add the following to the YAML file:
name: projects/PROJECT_NAME/locations/REGION/gatewaySecurityPolicies/POLICY_NAME/rules/RULE_NAME description: RULE_DESCRIPTION enabled: true priority: RULE_PRIORITY sessionMatcher: CEL_EXPRESSION basicProfile: ALLOW
Replace the following:
RULE_NAME
: a name for this ruleRULE_DESCRIPTION
: a description for the rule that you're creatingRULE_PRIORITY
: the priority for this rule; a lower number corresponds to a higher priorityCEL_EXPRESSION
: a Common Expression Language (CEL) expressionFor more information, see CEL matcher language reference.
For example, to allow access to
example.com
from the desired tag, add the following to the YAML file that you created for thesessionMatcher
:sessionMatcher: "source.matchTag('TAG_VALUE') && host() == 'example.com'"
Replace
TAG_VALUE
with the tag that you want to allow, of the formtagValues/1234
.Import the rules that you created:
gcloud network-security gateway-security-policies rules import RULE_NAME \ --source=RULE_FILE.yaml \ --location=REGION \ --gateway-security-policy=POLICY_NAME
Test connectivity
To test connectivity, use the curl
command from any VM associated
with the TAG_VALUE
tag:
curl -x https://IPv4_ADDRESS:443 http://example.com
--proxy-insecure
Replace IPv4_ADDRESS
with the IPv4 address of your
Secure Web Proxy instance.