Assign static IP addresses for outbound traffic

By default, Secure Web Proxy uses a managed Cloud NAT gateway (swg-autogen-nat) for outbound web traffic, which typically uses automatically allocated IP addresses. This page describes how to configure the Cloud NAT gateway to use a specific set of static external IPv4 addresses that you own and manage in your Google Cloud project. All outbound traffic from your workloads that's routed through the Secure Web Proxy then originates from one of these predefined static IPs.

Here are a few key benefits of assigning static IP addresses for your outbound traffic:

Predictable outbound traffic source IPs: enables external services, partners, and on-premises firewalls to add your specific IP addresses to their authorized lists, ensuring that traffic from your Secure Web Proxy instance is accepted. This is essential for accessing resources that are protected by IP-based access control lists (ACLs).
Dynamic port allocation (DPA): efficiently allocates available source ports from the set of static IP addresses that you assign for outbound traffic. DPA lets your workloads manage outbound traffic with a limited number of static IPs, without using up all the available ports. For more information, see Dynamic port allocation.
Enhanced security posture: provides a smaller, known set of IP addresses to manage and monitor, simplifying security audits and threat analysis.
Improved third-party integration: facilitates seamless integration with SaaS providers and APIs that require or recommend IP allowlists for enhanced security.
Simplified compliance: helps you meet compliance requirements for all outbound traffic points and their associated IP addresses.

Before you begin

Complete the initial setup steps.
Reserve a list of static IPv4 addresses to use for your Secure Web Proxy instance. Before reserving IP addresses in Google Cloud, make sure that you create an address resource by using the gcloud compute addresses create command.
Verify that you have the Google Cloud CLI version 406.0.0 or later installed:
```
gcloud version | head -n1
```
If you have an earlier gcloud CLI version installed, update the version:
```
gcloud components update --version=406.0.0
```

Configure static IP addresses for Secure Web Proxy

Console

In the Google Cloud console, go to the Cloud Nat page.

Go to Cloud Nat
Locate the Cloud NAT gateway that your Secure Web Proxy instance uses. Its name would be swg-autogen-nat, and it would be associated with a Cloud NAT (with a name in the swg-autogen-router-YYYY format) in the appropriate region and Virtual Private Cloud network.
To go to the details page of the Cloud NAT gateway, click the swg-autogen-nat gateway name. The Cloud NAT gateway details page opens.
Click Edit. The Edit Cloud NAT gateway page opens.
For Cloud NAT IP addresses, change the setting from Automatic (recommended) to Manual.
For IP addresses, select the static IP addresses that you reserved. For more information, see Configure Cloud NAT IPs for Secure Web Proxy.

To add multiple IP addresses, click the Add IP address button.
Expand the Advanced configurations section, and then select the Enable Dynamic Port Allocation checkbox.
For Min ports per VM, we recommend that you enter 2048.
For Max ports per VM, we recommend that you enter 4096.
Click Save.
After saving your changes, verify the following:
1. On the Cloud NAT gateway details page, check that the IP addresses section now lists your manually selected static IP addresses.
2. Check that Dynamic Port Allocation is enabled for the correct minimum and maximum ports per virtual machine (VM) that you'd configured earlier.

Cloud Shell

To identify the Cloud Router name that was assigned while provisioning your Secure Web Proxy instance, use the gcloud compute routers list command.
```
gcloud compute routers list \
    --region REGION \
    --filter="network:(NETWORK_NAME) AND name:(swg-autogen-router-*)" \
    --format="get(name)"
```
Replace the following:
- REGION: region where the Cloud Router is deployed for your Secure Web Proxy instance
- NETWORK_NAME: name of your VPC network
The output is similar to the following:
```
swg-autogen-router-1
```
To list the external automatically provisioned IP addresses that were assigned while provisioning your Secure Web Proxy instance, use the gcloud compute routers get-status command.
```
gcloud compute routers get-status ROUTER_NAME  \
    --region=REGION
```
The output is similar to the following:
```
kind: compute#routerStatusResponse
result:
  natStatus:
  - autoAllocatedNatIps:
    - 34.144.80.46
    - 34.144.83.75
    - 34.144.88.111
    - 34.144.94.113
    minExtraNatIpsNeeded: 0
    name: swg-autogen-nat
    numVmEndpointsWithNatMappings: 3
  network: https://www.googleapis.com/compute/projects/PROJECT_NAME/global/networks/NETWORK_NAME
```
This output includes the following values:
- PROJECT_NAME: name of your Google Cloud project
- NETWORK_NAME: name of your VPC network
Note: In the preceding output, the swg-autogen-nat Cloud NAT gateway has four automatically provisioned IP addresses. The Secure Web Proxy can scale up or scale down automatically provisioned Cloud NAT IP addresses based on your Google Cloud workload.
To update the Cloud NAT gateway to use your predefined IP range, use the gcloud compute routers nats update command.
```
gcloud compute routers nats update swg-autogen-nat  \
    --router=ROUTER_NAME \
    --nat-external-ip-pool=IPv4_ADDRESSES... \
    --region=REGION
```
Replace IPv4_ADDRESSES with the name of the external IPv4 address resource that you intend to use, separated by a comma (,).

To verify that your IP range is assigned to the Cloud NAT gateway, use the gcloud compute routers nats describe command.

gcloud compute routers nats describe swg-autogen-nat \
    --router=ROUTER_NAME  \
    --region=REGION

The output is similar to the following:

enableEndpointIndependentMapping: false
icmpIdleTimeoutSec: 30
logConfig:
  enable: false
  filter: ALL
name: swg-autogen-nat
natIpAllocateOption: MANUAL_ONLY
natIps:
- https://www.googleapis.com/compute/projects/PROJECT_NAME/regions/REGION/addresses/ADDRESS
sourceSubnetworkIpRangesToNat: ALL_SUBNETWORKS_ALL_IP_RANGES

This output includes the following values:

PROJECT_NAME: name of your Google Cloud project
REGION: region where the Cloud NAT gateway is deployed
ADDRESS: name of the static IPv4 address resource

To update the Cloud NAT gateway to use the dynamic port allocation (DPA) mode, use the gcloud compute routers nats update command. DPA mode enables your Secure Web Proxy instance to use the assigned IP addresses.
```
gcloud compute routers nats update swg-autogen-nat  \
    --router=ROUTER_NAME \
    --min-ports-per-vm=2048 \
    --max-ports-per-vm=4096 \
    --enable-dynamic-port-allocation \
    --region=REGION
```
For the --min-ports-per-vm and --max-ports-per-vm flags, we recommend that you set their values to 2048 and 4096, respectively.

Use Metrics Explorer to monitor metrics data for the following and adjust DPA minimum and maximum values as needed:
- Cloud NAT Gateway - Port usage
- Cloud NAT Gateway - New connection count
- Cloud NAT Gateway - Open connections

To verify that your DPA is enabled and the minimum and maximum port values are set, use the gcloud compute routers nats describe command.

gcloud compute routers nats describe swg-autogen-nat \
    --router=ROUTER_NAME \
    --region=REGION

Check the output for natIpAllocateOption: MANUAL_ONLY to verify that the natIps list includes your static IP addresses.