Stay organized with collectionsSave and categorize content based on your preferences.
This document shows you how to assign your own enterprise IP addresses, or
static Google Cloud IP addresses, that Secure Web Proxy uses for egress traffic.
Ensure that you have a list of static IPv4 addresses reserved to use for
Secure Web Proxy. If you want to reserve IP addresses in Google Cloud, see thegcloud compute addresses createcommandto create an address
resource.
Verify that you have the Google Cloud CLI version 406.0.0 or later installed:
gcloud version | head -n1
If you have an earlier gcloud CLI version installed, update the version:
gcloud components update --version=406.0.0
Enable static IP addresses for Secure Web Proxy
Do the following:
Identify the Cloud Router name assigned during Secure Web Proxy
provisioning:
gcloud compute routers list \
--regionREGION\
--filter="network:(NETWORK_NAME) AND name:(swg-autogen-router-*)" \
--format="get(name)"
Replace the following:
REGION: the region that the Cloud Router is
deployed for Secure Web Proxy
NETWORK_NAME: the name of your VPC
network
The output is similar to the following:
swg-autogen-router-1
List the external automatically provisioned IP addresses assigned during
Secure Web Proxy provisioning:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Assign static IP addresses for egress traffic\n\nThis document shows you how to assign your own enterprise IP addresses, or\nstatic Google Cloud IP addresses, that Secure Web Proxy uses for egress traffic.\n\nBefore you begin\n----------------\n\n- Complete the [initial setup\n steps](/secure-web-proxy/docs/initial-setup-steps).\n\n- Ensure that you have a list of static IPv4 addresses reserved to use for\n Secure Web Proxy. If you want to reserve IP addresses in Google Cloud, see the\n [`gcloud compute addresses create` command](/sdk/gcloud/reference/compute/addresses/create) to create an address\n resource.\n\n- Verify that you have the Google Cloud CLI version 406.0.0 or later installed:\n\n gcloud version | head -n1\n\n If you have an earlier gcloud CLI version installed, update the version: \n\n gcloud components update --version=406.0.0\n\nEnable static IP addresses for Secure Web Proxy\n-----------------------------------------------\n\nDo the following:\n\n1. Identify the Cloud Router name assigned during Secure Web Proxy\n provisioning:\n\n gcloud compute routers list \\\n --region \u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e \\\n --filter=\"network:(\u003cvar translate=\"no\"\u003eNETWORK_NAME\u003c/var\u003e) AND name:(swg-autogen-router-*)\" \\\n --format=\"get(name)\"\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e: the region that the Cloud Router is deployed for Secure Web Proxy\n - \u003cvar translate=\"no\"\u003eNETWORK_NAME\u003c/var\u003e: the name of your VPC network\n\n The output is similar to the following: \n\n swg-autogen-router-1\n\n2. List the external automatically provisioned IP addresses assigned during\n Secure Web Proxy provisioning:\n\n gcloud compute routers get-status \u003cvar translate=\"no\"\u003eROUTER_NAME\u003c/var\u003e \\\n --region=\u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e\n\n The output is similar to the following: \n\n kind: compute#routerStatusResponse\n result:\n natStatus:\n - autoAllocatedNatIps:\n - 34.144.80.46\n - 34.144.83.75\n - 34.144.88.111\n - 34.144.94.113\n minExtraNatIpsNeeded: 0\n name: swg-autogen-nat\n numVmEndpointsWithNatMappings: 3\n network: https://www.googleapis.com/compute/projects/PROJECT_NAME/global/networks/NETWORK_NAME\n\n | **Note:** In the preceding output, the `swg-autogen-nat` Cloud NAT gateway has four automatically provisioned IP addresses. The Secure Web Proxy can scale up or scale down automatically provisioned Cloud NAT IP addresses based on your Google Cloud workload.\n3. Update the Cloud NAT gateway to use your predefined IP range:\n\n gcloud compute routers nats update swg-autogen-nat \\\n --router=\u003cvar translate=\"no\"\u003eROUTER_NAME\u003c/var\u003e \\\n --nat-external-ip-pool=\u003cvar translate=\"no\"\u003eIPv4_ADDRESSES\u003c/var\u003e... \\\n --region=\u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003eIPv4_ADDRESSES\u003c/var\u003e with the name of the external\n IPv4 address resource that you intend to use, separated by a comma (`,`).\n4. Verify that your IP range is assigned to the Cloud NAT gateway:\n\n gcloud compute routers nats describe swg-autogen-nat \\\n --router=\u003cvar translate=\"no\"\u003eROUTER_NAME\u003c/var\u003e \\\n --region=\u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e\n\n The output is similar to the following: \n\n enableEndpointIndependentMapping: false\n icmpIdleTimeoutSec: 30\n logConfig:\n enable: false\n filter: ALL\n name: swg-autogen-nat\n natIpAllocateOption: MANUAL_ONLY\n natIps:\n - https://www.googleapis.com/compute/projects/PROJECT_NAME/regions/REGION/addresses/ADDRESS\n sourceSubnetworkIpRangesToNat: ALL_SUBNETWORKS_ALL_IP_RANGES\n\n5. Update the Cloud NAT gateway to use Dynamic Port Allocation (DPA)\n mode. DPA mode allows Secure Web Proxy to fully use the assigned IP\n addresses.\n\n gcloud compute routers nats update swg-autogen-nat \\\n --router=\u003cvar translate=\"no\"\u003eROUTER_NAME\u003c/var\u003e \\\n --min-ports-per-vm=2048 \\\n --max-ports-per-vm=4096 \\\n --enable-dynamic-port-allocation \\\n --region=\u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e\n\n For `--min-ports-per-vm` and `--max-ports-per-vm` flags, we recommend that\n you use values `2048` and `4096`, respectively.\n\n Use [Metrics Explorer](https://cloud.google.com/monitoring/charts/metrics-selector#basic-advanced-mode)\n to monitor metrics data for the following and adjust DPA minimum and maximum\n values as needed:\n - `Cloud NAT Gateway - Port usage`\n - `Cloud NAT Gateway - New connection count`\n - `Cloud NAT Gateway - Open connections`\n6. Verify that your DPA is enabled and the minimum and maximum port values\n are set:\n\n gcloud compute routers nats describe swg-autogen-nat \\\n --router=\u003cvar translate=\"no\"\u003eROUTER_NAME\u003c/var\u003e \\\n --region=\u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e\n\n The output is similar to the following: \n\n enableDynamicPortAllocation: true\n enableEndpointIndependentMapping: false\n endpointTypes:\n - ENDPOINT_TYPE_SWG\n logConfig:\n enable: true\n filter: ERRORS_ONLY\n maxPortsPerVm: 4096\n minPortsPerVm: 2048\n name: swg-autogen-nat\n natIpAllocateOption: MANUAL_ONLY\n natIps:\n - https://www.googleapis.com/compute/projects/PROJECT_NAME/regions/REGION/addresses/ADDRESS\n sourceSubnetworkIpRangesToNat: ALL_SUBNETWORKS_ALL_IP_RANGES\n type: PUBLIC\n\nWhat's next?\n------------\n\n- [Use tags to create policies](/secure-web-proxy/docs/use-tags)\n- [Use a URL list to create policies](/secure-web-proxy/docs/use-url-list)"]]
