Console
    Contact Us Start free

    Deploy a Secure Web Proxy instance

    This quickstart guide explains how to deploy and test a Secure Web Proxy instance.

    The steps describe deploying Secure Web Proxy in explicit routing mode, functioning as an explicit proxy . Secure Web Proxy instances in explicit routing mode can be published as a Private Service Connect service .

    Alternatively, you can deploy Secure Web Proxy in next hop routing mode. For more information, see Deploy Secure Web Proxy as a next hop .

    Before you begin

    1. Complete the initial setup steps .

    2. Optional: Install the Google Cloud CLI in any one of the following development environments if you want to run the gcloud command-line examples specified in this guide:

      Cloud Shell

      To use an online terminal with the gcloud CLI already set up, activate Cloud Shell:

      At the end of this page, a Cloud Shell session starts and displays a command-line prompt. It can take a few seconds for the session to initialize.

      Local shell

      To use a local development environment, follow these steps:

      1. Install the gcloud CLI .
      2. Initialize the gcloud CLI .

    3. Create or select a Google Cloud project.

      Console

      In the Google Cloud console, on the project selector page, select or create a Google Cloud project .

      Go to project selector

      Cloud Shell

      • Create a Google Cloud project:

         gcloud projects create PROJECT_ID

        Replace PROJECT_ID with the project ID that you want.

      • Select the Google Cloud project that you created:

         gcloud config set project PROJECT_ID

    4. Create a Linux virtual machine (VM) instance.

       gcloud compute instances create swp-test-vm \
    --subnet=default \
    --zone= ZONE 
\
    --image-project=debian-cloud \
    --image-family=debian-11

      Replace ZONE with the zone of your test VM instance.

      Compute Engine grants the user who creates the VM with the Compute Instance Admin role ( roles/compute.instanceAdmin ). Compute Engine also adds that user to the sudo group.

    5. Create a firewall rule.

       gcloud compute firewall-rules create default-allow-ssh \
    --direction=INGRESS \
    --priority=1000 \
    --network=default \
    --action=ALLOW \
    --rules=tcp:22 \
    --source-ranges=0.0.0.0/0

    Create a Secure Web Proxy policy

    Console

    1. In the Google Cloud console, go to the SWP Policiespage.

      Go to SWP Policies

    2. Click Create a policy.

    3. Enter a name for the policy that you want to create, such as policy1 .

    4. Enter a description of the policy, such as My new swp policy .

    5. In the Regionslist, select the region where you want to create the web proxy policy.

    6. If you want to create rules for your policy, then click Add rule. For more information, see the Create Secure Web Proxy rules section.

    7. Click Create.

    Cloud Shell

    1. Create the policy.yaml file.

         
 description 
 : 
  
 basic Secure Web Proxy policy 
  
 name 
 : 
  
 projects/ PROJECT_ID 
/locations/ REGION 
/gatewaySecurityPolicies/policy1

      Replace the following:

      • PROJECT_ID : the project ID of your project
      • REGION : the region of your policy

    2. Create the Secure Web Proxy policy.

       gcloud network-security gateway-security-policies import policy1 \
    --source=policy.yaml \
    --location= REGION

    Create Secure Web Proxy rules

    Console

    1. In the Google Cloud console, go to the SWP Policiespage.

      Go to SWP Policies

    2. Click the name of your policy.

    3. Click Add rule.

    4. Populate the following rule fields:

      1. Name
      2. Description
      3. Status
      4. Priority: numeric evaluation order of the rule. The rules are evaluated from highest to lowest priority, where 0 is the highest priority.
      5. In the Actionsection, specify whether connections that match the rule are allowed ( Allow) or denied ( Deny).
      6. In the Session Matchsection, specify the criteria for matching the session. For more information about the syntax for SessionMatcher , see CEL matcher language reference .
      7. Optional: If you want to enable TLS inspection, then select Enable TLS inspection.

      8. In the Application Matchsection, specify the criteria for matching the request. If you don't enable the rule for TLS inspection, then the request can only match HTTP traffic.

        For information about matching TPC traffic, see Configure TCP proxy rules for your application .

      9. Click Create.

    5. Click Add ruleto add another rule.

    Cloud Shell

    1. Create the rule.yaml file as shown here. For more information about the syntax for SessionMatcher , see CEL matcher language reference .

        name 
 : 
  
 projects/ PROJECT_ID 
/locations/ REGION 
/gatewaySecurityPolicies/policy1/rules/allow-wikipedia-org 
 description 
 : 
  
 Allow wikipedia.org 
 enabled 
 : 
  
 true 
 priority 
 : 
  
 1 
 basicProfile 
 : 
  
 ALLOW 
 sessionMatcher 
 : 
  
 host() == 'www.wikipedia.org'

      • Optional: Alternatively, if you want to create a rule with the TLS inspection configuration, then create the rule.yaml file as shown here.

        For information about matching TPC traffic, see Configure TCP proxy rules for your application .

          name 
 : 
  
 projects/ PROJECT_ID 
/locations/ REGION 
/gatewaySecurityPolicies/policy1/rules/allow-wikipedia-org 
 description 
 : 
  
 Allow wikipedia.org 
 enabled 
 : 
  
 true 
 priority 
 : 
  
 1 
 basicProfile 
 : 
  
 ALLOW 
 sessionMatcher 
 : 
  
 host() == 'www.wikipedia.org' 
 applicationMatcher 
 : 
  
 request.path.contains('index.html') 
 tlsInspectionEnabled 
 : 
  
 true

        Replace the following:

        • PROJECT_ID : the ID of your project
        • REGION : the region of your policy

    2. Create the security policy rule.

        gcloud 
 network 
 - 
 security 
 gateway 
 - 
 security 
 - 
 policies 
 rules 
 import 
  
 allow 
 - 
 wikipedia 
 - 
 org 
\ -- 
 source 
 = 
 rule 
 . 
 yaml 
\ -- 
 location 
 = 
  REGION 
 
\ -- 
 gateway 
 - 
 security 
 - 
 policy 
 = 
 policy1

    Set up a web proxy

    This section explains how to deploy Secure Web Proxy in explicit routing mode, functioning as an explicit proxy .

    Console

    1. In the Google Cloud console, go to the Web Proxiespage.

      Go to Web Proxies

    2. Click Create a secure web proxy.

    3. Enter a name for the web proxy that you want to create, such as myswp .

    4. Enter a description of the web proxy, such as My new swp .

    5. For Routing mode, select the Explicitoption.

    6. In the Regionslist, select the region where you want to create the web proxy.

    7. In the Networklist, select the network where you want to create the web proxy.

    8. In the Subnetworklist, select the subnetwork where you want to create the web proxy.

    9. Optional: Enter the Secure Web Proxy IP address. You can enter an IP address from the range of Secure Web Proxy IP addresses that reside in the subnetwork you created in the previous step. If you don't enter the IP address, then your Secure Web Proxy instance automatically chooses an IP address from the selected subnetwork.

    10. In the Certificatelist, select the certificate that you want to use to create the web proxy.

    11. In the Policylist, select the policy that you created to associate the web proxy with.

    12. Click Create.

    Cloud Shell

    1. Create the gateway.yaml file.

        name 
 : 
  
 projects/ PROJECT_ID 
/locations/ REGION 
/gateways/swp1 
 type 
 : 
  
 SECURE_WEB_GATEWAY 
 addresses 
 : 
  
 [ 
 " IP_ADDRESS 
" 
 ] 
 ports 
 : 
  
 [ 
 443 
 ] 
 gatewaySecurityPolicy 
 : 
  
 projects/ PROJECT_ID 
/locations/ REGION 
/gatewaySecurityPolicies/policy1 
 network 
 : 
  
 projects/ PROJECT_ID 
/global/networks/ NETWORK 
 
 subnetwork 
 : 
  
 projects/ PROJECT_ID 
/regions/ REGION 
/subnetworks/ SUBNETWORK 
 
 routingMode 
 : 
  
 EXPLICIT_ROUTING_MODE

      Replace the following:

      • PROJECT_ID : the project ID of your project
      • REGION : the region of your Secure Web Proxy instance
      • IP_ADDRESS : the IP address of your Secure Web Proxy instance
      • NETWORK : the network of your Secure Web Proxy instance
      • SUBNETWORK : the subnetwork of your Secure Web Proxy instance

    2. Create a Secure Web Proxy instance based on gateway.yaml .

       gcloud network-services gateways import swp1 \
    --source=gateway.yaml \
    --location= REGION

      A Secure Web Proxy instance can take several minutes to deploy.

    Test connectivity

    1. Connect to the VM that you previously provisioned.

       gcloud compute ssh swp-test-vm \
    --zone= ZONE

      Replace ZONE with the zone of your test VM instance.

    2. Test the Secure Web Proxy instance.

       curl -s -o /dev/null -w "%{http_code}\\n" -x IP_ADDRESS 
:443 https://www.wikipedia.org

      Replace IP_ADDRESS with the IP address of your Secure Web Proxy instance. This command prints the HTTP status code returned from www.wikipedia.org. If the command is successful, then the status code is 200 . However, if there's an issue with the proxy, then the command will return a 000 status code to indicate a connection error. To view the detailed error messages, add the -v option to the command.

    Clean up

    To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.

    Delete the swp1 Secure Web Proxy instance

    Console

    1. In the Google Cloud console, go to the Web Proxiespage. You can view the list of all web proxies or just the web proxies that are available in a particular network.

      Go to Web Proxies

    2. Select the web proxy that you want to delete.

    3. Click Delete.

    4. Click Deleteagain to confirm.

    Cloud Shell

     gcloud network-services gateways delete swp1 \
    --location= REGION

    Replace REGION with the region of your Secure Web Proxy instance.

    Delete the allow-wikipedia-org rule

    Console

    1. In the Google Cloud console, go to the Web Proxiespage. You can view the list of all web proxies or just the web proxies that are available in a particular network.

      Go to Web Proxies

    2. Click your policy.

    3. Select the rule that you want to delete.

    4. Click Delete.

    5. Click Deleteagain to confirm.

    Cloud Shell

     gcloud network-security gateway-security-policies rules delete allow-wikipedia-org \
    --location= REGION 
\
    --gateway-security-policy=policy1

    Replace REGION with the region of your policy.

    Delete the policy1 Secure Web Proxy policy

    Console

    1. In the Google Cloud console, go to the Web Proxiespage. You can view the list of all web proxies or just the web proxies that are available in a particular network.

      Go to Web Proxies

    2. Select the policy that you want to delete.

    3. Click Delete.

    4. Click Deleteagain to confirm.

    Cloud Shell

     gcloud network-security gateway-security-policies delete policy1 \
    --location= REGION

    Replace REGION with the region of your policy.

    Delete the swp-test-vm Linux VM instance

    Console

    1. In the Google Cloud console, go to the VM instancespage.

      Go to VM instances

    2. Select the instances that you want to delete.

    3. Click Delete.

    Cloud Shell

     gcloud compute instances delete swp-test-vm

    What's next
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: