Deploy a Secure Web Proxy instance
This quickstart shows you how to deploy and test a Secure Web Proxy instance.
Before you begin
Complete initial setup steps.
To run the commands on this page, set up the Google Cloud CLI in one of the following development environments:
Cloud Shell
To use an online terminal with the gcloud CLI already set up, activate Cloud Shell:
At the end of this page, a Cloud Shell session starts and displays a command-line prompt. It can take a few seconds for the session to initialize.
Local shell
To use a local development environment, follow these steps:
Create or select a Google Cloud project.
Console
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Cloud Shell
Create a Google Cloud project:
gcloud projects create PROJECT_ID
Replace
PROJECT_ID
with the project ID that you want.Select the Google Cloud project that you created:
gcloud config set project PROJECT_ID
Create a Linux virtual machine (VM) instance:
gcloud compute instances create swp-test-vm \ --subnet=default \ --zone=ZONE \ --image-project=debian-cloud \ --image-family=debian-11
Compute Engine grants the user who creates the VM with the Compute Instance Admin role (
roles/compute.instanceAdmin
). Compute Engine also adds that user to the sudo group.Create a firewall rule:
gcloud compute firewall-rules create default-allow-ssh \ --direction=INGRESS \ --priority=1000 \ --network=default \ --action=ALLOW \ --rules=tcp:22 \ --source-ranges=0.0.0.0/0
Create a Secure Web Proxy policy
Console
In the Google Cloud console, go to the Network Security page.
Click Secure Web Proxy.
Click the Policies tab.
Click Create a policy.
Enter a name for the policy that you want to create, such as
myswppolicy
.Enter a description of the policy, such as
My new swp policy
.In the Regions list, select the region where you want to create the web proxy policy.
If you want to configure TLS inspection for the web proxy, select Configure TLS inspection.
In the TLS inspection policy list, select the TLS inspection policy that you created. The TLS inspection policy appears in the list only if you created it.
If you want to create rules for your policy, click Continue, and then click Add rule. For details, see Create Secure Web Proxy rules.
Click Create.
Cloud Shell
Some web proxy policies require that traffic be TLS encrypted for evaluation. Depending on whether you want TLS encryption, use any of the following methods to create a policy:
Create a policy with the TLS inspection configuration.
To enable TLS inspection, perform the procedure described in Enable TLS inspection and then create the file
policy.yaml
:description: basic Secure Web Proxy policy name: projects/PROJECT_ID/locations/REGION/gatewaySecurityPolicies/policy1 tlsInspectionPolicy: projects/PROJECT_ID/locations/REGION/tlsInspectionPolicies/TLS_INSPECTION_NAME
Create a policy without the TLS inspection configuration.
If you do not want to enable TLS inspection, create the file
policy.yaml
:description: basic Secure Web Proxy policy name: projects/PROJECT_ID/locations/REGION/gatewaySecurityPolicies/policy1
Create the Secure Web Proxy policy:
gcloud network-security gateway-security-policies import policy1 \ --source=policy.yaml \ --location=REGION
Create Secure Web Proxy rules
Console
In the Google Cloud console, go to the Network Security page.
Click Secure Web Proxy.
Click the Policies tab.
Click the name of your policy.
Click Add rule.
Populate the rule fields:
- Name
- Description
- Status
- Priority: the numeric evaluation order of the rule. The rules are
evaluated from highest to lowest priority where
0
is the highest priority. - In the Action section, specify whether connections that match the rule are allowed (Allow) or denied (Deny).
- In the Session Match section, specify the criteria for
matching the session. For more information about the syntax for
SessionMatcher
, see the CEL matcher language reference. - To enable TLS inspection, select Enable TLS inspection.
- In the Application Match section, specify the criteria for matching the request. If you do not enable the rule for TLS inspection, then the request can only match HTTP traffic.
- Click Create.
Click Add rule to add another rule.
Click Create to create the policy.
Cloud Shell
Depending on whether you want TLS encryption, use any of the following methods to create a rule:
Create a rule with the TLS inspection configuration.
To enable TLS inspection, create the file
rule.yaml
:name: projects/PROJECT_ID/locations/REGION/gatewaySecurityPolicies/policy1/rules/allow-wikipedia-org description: Allow wikipedia enabled: true priority: 1 basicProfile: ALLOW sessionMatcher: host() == 'wikipedia.org' applicationMatcher: request.path.contains('index.html') tlsInspectionEnabled: true
Create a rule without the TLS inspection configuration.
If you do not want to enable TLS inspection, create the file
rule.yaml
:name: projects/PROJECT_ID/locations/REGION/gatewaySecurityPolicies/policy1/rules/allow-wikipedia-org description: Allow wikipedia.org enabled: true priority: 1 basicProfile: ALLOW sessionMatcher: host() == 'wikipedia.org'
Create the security policy rule:
gcloud network-security gateway-security-policies rules import allow-wikipedia-org \ --source=rule.yaml \ --location=REGION \ --gateway-security-policy=policy1
Set up a web proxy
Console
In the Google Cloud console, go to the Network Security page.
Click Secure Web Proxy.
Click the Web proxies tab.
Click Set up a web proxy.
Enter a name for the web proxy that you want to create, such as
myswp
.Enter a description of the web proxy, such as
My new swp
.In the Regions list, select the region where you want to create the web proxy.
In the Network list, select the network where you want to create the web proxy.
In the Subnetwork list, select the subnetwork where you want to create the web proxy.
Enter the web proxy IP address.
In the Certificate list, select the certificate that you want to use to create the web proxy.
In the Policy list, select the policy that you created to associate the web proxy with.
Click Create.
Cloud Shell
Create the file
gateway.yaml
:name: projects/PROJECT_ID/locations/REGION/gateways/swp1 type: SECURE_WEB_GATEWAY addresses: ["10.128.0.99"] ports: [443] certificateUrls: ["projects/PROJECT_ID/locations/REGION/certificates/cert1"] gatewaySecurityPolicy: projects/PROJECT_ID/locations/REGION/gatewaySecurityPolicies/policy1 network: projects/PROJECT_ID/global/networks/default subnetwork: projects/PROJECT_ID/regions/REGION/subnetworks/default scope: samplescope
Create a Secure Web Proxy instance:
gcloud network-services gateways import swp1 \ --source=gateway.yaml \ --location=REGION
A Secure Web Proxy instance can take several minutes to deploy.
Test connectivity
Connect to the VM that you previously provisioned:
gcloud compute ssh swp-test-vm \ --zone=ZONE
Test the Secure Web Proxy instance:
curl -x http://10.128.0.99:80 https://wikipedia.org
If you configured the Secure Web Proxy instance for TLS inspection, use the following command:
curl -x http://10.128.0.99:80 https://wikipedia.org/index.html
Clean up
To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.
Delete the Secure Web Proxy instance swp1
Console
In the Google Cloud console, go to the Network Security page.
Click Secure Web Proxy. You can view a list of all the web proxies or just those in a particular network.
Select the web proxy that you want to delete.
Click Delete.
Click Delete again to confirm.
Cloud Shell
gcloud network-services gateways delete swp1 \
--location=REGION
Delete the rule allow-wikipedia-org
Console
In the Google Cloud console, go to the Network Security page.
Click Secure Web Proxy. You can view a list of all the web proxies or just those in a particular network.
Click the Policies tab.
Click your policy.
Select the rule that you want to delete.
Click Delete.
Click Delete again to confirm.
Cloud Shell
gcloud network-security gateway-security-policies rules delete allow-wikipedia-org \
--location=REGION \
--gateway-security-policy=policy1
Delete the Secure Web Proxy policy policy1
Console
In the Google Cloud console, go to the Network Security page.
Click Secure Web Proxy. You can view a list of all the web proxies or just those in a particular network.
Click the Policies tab.
Select the policy that you want to delete.
Click Delete.
Click Delete again to confirm.
Cloud Shell
gcloud network-security gateway-security-policies delete policy1 \
--location=REGION
Delete the Linux VM instance swp-test-vm
Console
In the Google Cloud console, go to the VM instances page.
Select the instances that you want to delete.
Click Delete.
Cloud Shell
gcloud compute instances delete swp-test-vm