This page explains gateway security policies and how to create them.
Gateway security policies
A gateway security policy acts as a centralized container for all security rules that govern traffic flow through your Secure Web Proxy instance. Policies let you effectively manage access control for the proxy's outbound web traffic.
You can define a policy and associate it with your Secure Web Proxy instance. This helps ensure that all outgoing web traffic from your network adheres to a consistent set of security standards.
Gateway security policies are based on the following three parameters:
Traffic source: Secure Web Proxy identifies the traffic source by using various attributes such as service accounts, secure tags, and IP addresses.
Allowed destination: Secure Web Proxy determine the allowed destinations by using a domain, a full URL path (if TLS inspection is enabled), URL lists, or the destination port.
Request details: Secure Web Proxy evaluates request attributes such as the protocol, HTTP method, and request headers. To perform this analysis for encrypted traffic, you must enable TLS inspection.
Source attributes
Secure Web Proxy policies identify the source of the traffic by using the following cloud identity and network location data:
- Service accounts: unique identities that are assigned to your applications or workloads. Service accounts let you create policies based on an application's specific function.
- Secure tags: labels that you can apply
to your Google Cloud resources like virtual machine (VM) instances.
Tags let you group workloads by function or environment. For example,
"Allow all resources labeled
Productionto access approved domains." - IP addresses: network address of the sender. You can assign your enterprise or static Google Cloud IP addresses that Secure Web Proxy uses for outbound traffic.
Supported identities for source attributes
Secure Web Proxy uses source identity-based policies, such as service accounts and secure tags, to control web traffic. These policies let you apply rules based on the source identity of the traffic, rather than just the IP address.
The following table shows the Google Cloud services that support source identity-based policies:
| Google Cloud services | Service account support | Secure tag support |
|---|---|---|
| Compute Engine virtual machine (VM) | ||
| Google Kubernetes Engine (GKE) node | ||
| Google Kubernetes Engine (GKE) container | 1 | 1 |
| Direct VPC for Cloud Run | 1 | |
| Serverless VPC Access connector | 2 | 2 |
| Cloud VPN | 1 | 1 |
| Cloud Interconnect on premises | 1 | 1 |
| Application Load Balancer | ||
| Network Load Balancer |
2 Source IP address is unique and can be used instead.
The following table shows the Virtual Private Cloud (VPC) architectures that support source identity-based security policies:
| VPC | VPC architecture | Support |
|---|---|---|
| Within VPC | Cross project (Shared VPC) | |
| Cross VPC | Cross peering link (peer VPC) | |
| Cross VPC | Cross Private Service Connect | |
| Cross VPC | Cross Network Connectivity Center spokes |
Destination attributes
Secure Web Proxy policies determine whether a destination is approved by analyzing the following attributes of the target website or service:
Destination domain: the website address, such as
example.com.URL lists: predefined lists of approved or blocked URLs that simplify policy management.
Destination port: network port to which your Secure Web Proxy instance sends traffic. For example,
443for HTTPS.Full URL path: exact path of the website. You must enable TLS inspection to view the entire content on the specific web page.
For HTTP and HTTPS destination traffic, you can use the host
destination attribute and various request.*
destination-related attributes, like request.method, for your application.
For more information about the destination attributes that you can use for HTTP and HTTPS traffic, see Attributes.
Create a security policy
Before creating a gateway security policy, make sure that you complete the following initial setup steps:
- Obtain Identity and Access Management (IAM) roles and permissions
- Create a Google Cloud project
- Enable billing for your Google Cloud project
After creating a policy, you can create rules and add them to the policy. For more information about how to associate a policy with your Secure Web Proxy instance, see Set up a web proxy.
Console
In the Google Cloud console, go to the SWP Policies page.
Click Create a policy.
Enter a name for the policy that you want to create, such as
policy1.Enter a description of the policy, such as
My new swp policy.In the Regions list, select the region where you want to create the policy, such as
us-central1.If you want to create rules for your policy, then click Add rule. For more information, see Create a Secure Web Proxy rule.
Click Create.
Cloud Shell
Use your preferred text editor to create a
policy.yamlfile.Add the following to the
policy.yamlfile that you created:description: basic Secure Web Proxy policy name: projects/PROJECT_ID/locations/REGION/gatewaySecurityPolicies/policy1Replace the following:
PROJECT_ID: ID of your projectREGION: region where your policy is created, such asus-central1
Create the Secure Web Proxy policy.
gcloud network-security gateway-security-policies import policy1 \ --source=policy.yaml \ --location=REGION
What's next
- Security rules
- Deploy Secure Web Proxy as a Private Service Connect service
- Deploy Secure Web Proxy as next hop