By default, Secure Web Proxy uses a managed Cloud NAT
gateway
( swg-autogen-nat
) for outbound web traffic, which typically uses automatically
allocated IP addresses. This page describes how to configure the
Cloud NAT gateway to use a specific set of static external
IPv4 addresses that you own and manage in your Google Cloud project. All
outbound traffic from your workloads that's routed through the
Secure Web Proxy then originates from one of these predefined static IPs.
Here are a few key benefits of assigning static IP addresses for your outbound traffic:
-
Predictable outbound traffic source IPs: enables external services, partners, and on-premises firewalls to add your specific IP addresses to their authorized lists, ensuring that traffic from your Secure Web Proxy instance is accepted. This is essential for accessing resources that are protected by IP-based access control lists (ACLs).
-
Dynamic port allocation (DPA): efficiently allocates available source ports from the set of static IP addresses that you assign for outbound traffic. DPA lets your workloads manage outbound traffic with a limited number of static IPs, without using up all the available ports. For more information, see Dynamic port allocation .
-
Enhanced security posture: provides a smaller, known set of IP addresses to manage and monitor, simplifying security audits and threat analysis.
-
Improved third-party integration: facilitates seamless integration with SaaS providers and APIs that require or recommend IP allowlists for enhanced security.
-
Simplified compliance: helps you meet compliance requirements for all outbound traffic points and their associated IP addresses.
Before you begin
-
Complete the initial setup steps .
-
Reserve a list of static IPv4 addresses to use for your Secure Web Proxy instance. Before reserving IP addresses in Google Cloud, make sure that you create an address resource by using the
gcloud compute addresses createcommand . -
Verify that you have the Google Cloud CLI version 406.0.0 or later installed:
gcloud version | head -n1If you have an earlier gcloud CLI version installed, update the version:
gcloud components update --version=406.0.0
Configure static IP addresses for Secure Web Proxy
Console
-
In the Google Cloud console, go to the Cloud Natpage.
-
Locate the Cloud NAT gateway that your Secure Web Proxy instance uses. Its name would be
swg-autogen-nat, and it would be associated with a Cloud NAT (with a name in theswg-autogen-router-YYYYformat) in the appropriate region and Virtual Private Cloud network. -
To go to the details page of the Cloud NAT gateway, click the
swg-autogen-natgateway name. The Cloud NAT gateway detailspage opens. -
Click Edit. The Edit Cloud NAT gatewaypage opens.
-
For Cloud NAT IP addresses, change the setting from Automatic (recommended)to Manual.
-
For IP addresses, select the static IP addresses that you reserved. For more information, see Configure Cloud NAT IPs for Secure Web Proxy .
To add multiple IP addresses, click the Add IP addressbutton.
-
Expand the Advanced configurationssection, and then select the Enable Dynamic Port Allocationcheckbox.
-
For Min ports per VM, we recommend that you enter
2048. -
For Max ports per VM, we recommend that you enter
4096. -
Click Save.
-
After saving your changes, verify the following:
-
On the Cloud NAT gateway details page, check that the IP addressessection now lists your manually selected static IP addresses.
-
Check that Dynamic Port Allocationis enabled for the correct minimum and maximum ports per virtual machine (VM) that you'd configured earlier.
-
Cloud Shell
-
To identify the Cloud Router name that was assigned while provisioning your Secure Web Proxy instance, use the
gcloud compute routers listcommand .gcloud compute routers list \ --region REGION \ --filter="network:( NETWORK_NAME ) AND name:(swg-autogen-router-*)" \ --format="get(name)"Replace the following:
-
REGION: region where the Cloud Router is deployed for your Secure Web Proxy instance -
NETWORK_NAME: name of your VPC network
The output is similar to the following:
swg-autogen-router-1 -
-
To list the external automatically provisioned IP addresses that were assigned while provisioning your Secure Web Proxy instance, use the
gcloud compute routers get-statuscommand .gcloud compute routers get-status ROUTER_NAME \ --region= REGIONThe output is similar to the following:
kind : compute#routerStatusResponse result : natStatus : - autoAllocatedNatIps : - 34.144.80.46 - 34.144.83.75 - 34.144.88.111 - 34.144.94.113 minExtraNatIpsNeeded : 0 name : swg-autogen-nat numVmEndpointsWithNatMappings : 3 network : https://www.googleapis.com/compute/projects/ PROJECT_NAME /global/networks/ NETWORK_NAMEThis output includes the following values:
-
PROJECT_NAME: name of your Google Cloud project -
NETWORK_NAME: name of your VPC network
-
-
To update the Cloud NAT gateway to use your predefined IP range, use the
gcloud compute routers nats updatecommand .gcloud compute routers nats update swg-autogen-nat \ --router= ROUTER_NAME \ --nat-external-ip-pool= IPv4_ADDRESSES ... \ --region= REGIONReplace
IPv4_ADDRESSESwith the name of the external IPv4 address resource that you intend to use, separated by a comma (,). -
To verify that your IP range is assigned to the Cloud NAT gateway, use the
gcloud compute routers nats describecommand .gcloud compute routers nats describe swg-autogen-nat \ --router= ROUTER_NAME \ --region= REGIONThe output is similar to the following:
enableEndpointIndependentMapping : false icmpIdleTimeoutSec : 30 logConfig : enable : false filter : ALL name : swg-autogen-nat natIpAllocateOption : MANUAL_ONLY natIps : - https://www.googleapis.com/compute/projects/ PROJECT_NAME /regions/ REGION /addresses/ ADDRESS sourceSubnetworkIpRangesToNat : ALL_SUBNETWORKS_ALL_IP_RANGESThis output includes the following values:
-
PROJECT_NAME: name of your Google Cloud project -
REGION: region where the Cloud NAT gateway is deployed -
ADDRESS: name of the static IPv4 address resource
-
-
To update the Cloud NAT gateway to use the dynamic port allocation (DPA) mode, use the
gcloud compute routers nats updatecommand . DPA mode enables your Secure Web Proxy instance to use the assigned IP addresses.gcloud compute routers nats update swg-autogen-nat \ --router= ROUTER_NAME \ --min-ports-per-vm=2048 \ --max-ports-per-vm=4096 \ --enable-dynamic-port-allocation \ --region= REGIONFor the
--min-ports-per-vmand--max-ports-per-vmflags, we recommend that you set their values to2048and4096, respectively.Use Metrics Explorer to monitor metrics data for the following and adjust DPA minimum and maximum values as needed:
-
Cloud NAT Gateway - Port usage -
Cloud NAT Gateway - New connection count -
Cloud NAT Gateway - Open connections
-
-
To verify that your DPA is enabled and the minimum and maximum port values are set, use the
gcloud compute routers nats describecommand .gcloud compute routers nats describe swg-autogen-nat \ --router= ROUTER_NAME \ --region= REGIONCheck the output for
natIpAllocateOption: MANUAL_ONLYto verify that thenatIpslist includes your static IP addresses.The output is similar to the following:
enableDynamicPortAllocation : true enableEndpointIndependentMapping : false endpointTypes : - ENDPOINT_TYPE_SWG logConfig : enable : true filter : ERRORS_ONLY maxPortsPerVm : 4096 minPortsPerVm : 2048 name : swg-autogen-nat natIpAllocateOption : MANUAL_ONLY natIps : - https://www.googleapis.com/compute/projects/ PROJECT_NAME /regions/ REGION /addresses/ ADDRESS sourceSubnetworkIpRangesToNat : ALL_SUBNETWORKS_ALL_IP_RANGES type : PUBLICThis output includes the following values:
-
PROJECT_NAME: name of your Google Cloud project -
REGION: region where the Cloud NAT gateway is deployed -
ADDRESS: name of the static IPv4 address resource
-
