Configure global access for Secure Web Proxy

Secure Web Proxy is a regional service. By default, your clients must be in the same Google Cloud region as the Secure Web Proxy instance.

When you enable global access for a Secure Web Proxy instance, clients can connect from any region, not only the region where the proxy is deployed. This feature supports the following use cases:

• Outbound traffic from a specific region: to meet cost-optimization or regulatory compliance requirements, you can enforce all outbound internet traffic to exit from a particular region.

• Cross-region failover: if the primary proxy experiences any issues, you can manually redirect traffic to an alternative Secure Web Proxy instance in a different region.

Benefits

• Increased reliability and availability: if a regional outage occurs, you can reroute traffic to alternative Secure Web Proxy instances in other available regions. To reroute traffic, you can either adjust routes for next hop mode or change DNS records for explicit proxy mode.

• Simplified network management: manage your outbound traffic from a centralized location to simplify network administration for your organization.

Enable global access

To enable global access, you must set the allow_global_access field to true in your gateway.yaml file when you create a Secure Web Proxy instance.

You can enable global access for Secure Web Proxy in the following deployment modes:

• Explicit proxy
• Next hop
• As a Private Service Connect (PSC) service

Configuration example

The following example shows how to enable global access when you create a Secure Web Proxy instance in the explicit proxy deployment mode:

1. Use a text editor to create a gateway.yaml file.

2. Add the following code to the gateway.yaml file with the allow_global_access field set to true.

   name: projects/PROJECT_ID/locations/REGION
       /gateways/swp1
   type: SECURE_WEB_GATEWAY
   addresses: ["IP_ADDRESS"]
   ports: [443]
   gatewaySecurityPolicy: projects/PROJECT_ID/locations/REGION/gatewaySecurityPolicies/policy1
   network: projects/PROJECT_ID/global/networks/
       NETWORK
   subnetwork: projects/PROJECT_ID/regions/REGION
       /subnetworks/SUBNETWORK
   routingMode: EXPLICIT_ROUTING_MODE
   allow_global_access: true
   

   Replace the following:

   • PROJECT_ID: ID of your project

   • REGION: region of your Secure Web Proxy instance

   • IP_ADDRESS: IP address of your Secure Web Proxy instance

   • NETWORK: network of your Secure Web Proxy instance

   • SUBNETWORK: subnetwork of your Secure Web Proxy instance. You must use the VPC subnet that you created as part of the initial setup steps.

3. To create the Secure Web Proxy instance, use the gcloud network-services gateways import command.

   gcloud network-services gateways import swp1 \
       --source=gateway.yaml
   

Identity attributes in policy rules

Identity attributes, such as service accounts and tags, that are available for use in Secure Web Proxy policy rules remain functional regardless of whether you enable the global access feature.

Client applications and workloads from various Google Cloud regions can provide their identities, which your Secure Web Proxy instance can then use to enforce your policy rules. For more information, see Supported identities for source attributes.

Logging and monitoring

Secure Web Proxy logs include information about the source of your outbound traffic. When you enable global access for your Secure Web Proxy instance, the logs show a client application's original region, even if it differs from your proxy region. For more information, see Logs and metrics.

What's next

• TLS inspection overview
• Create an authorization policy
• Create a gateway security policy
• Create a gateway security rule