Secure Web Proxy is a cloud first service thathelps you secure egress web traffic (HTTP/S). You configure your clients toexplicitly use Secure Web Proxy as a gateway. The web requests can originatefrom the following sources:

• Virtual machine (VM) instances
• Containers
• A serverless environment that uses a serverless connector
• Workloads outside of Google Cloud connected by Cloud VPN orCloud Interconnect

Secure Web Proxy enables flexible and granular policies based oncloud first identities and web applications.

Deployment modes

You can deploy Secure Web Proxy in the following ways:

Explicit proxy routing mode

You can configure your workload environments and clients to explicitly use theproxy server. Secure Web Proxy isolates clients from the Internet by creatingnew TCP connections on behalf of the client, while adhering to the administeredsecurity policy.

For detailed instructions, seeDeploy a Secure Web Proxy instance.

Private Service Connect service attachment mode

To centralize your Secure Web Proxy deployment when there are multiplenetworks, you can use Network Connectivity Center. But there are somelimitations when you try to scale up with Network Connectivity Center. Adding Secure Web Proxyas a Private Service Connect service attachment overcomes suchlimitations. You can deploy Secure Web Proxy as follows:

1. Create a Secure Web Proxy policy and rules.
2. Create a Secure Web Proxy instance that uses your policy.
3. Create a service attachment to publish the Secure Web Proxy instanceas a Private Service Connect service.
4. Create a Private Service Connect consumer endpoint in eachVPC network that needs to connect to Secure Web Proxy.
5. Point your workload egress traffic to the centralized Secure Web Proxyinstance within the region.

The deployment works in a hub and spoke fashion, where theSecure Web Proxy is on the egress path for workloads in the variousconnected VPC networks.

For detailed instructions, seeDeploy Secure Web Proxy as a service attachment.

Secure Web Proxy as next hop

You can configure your Secure Web Proxy deployment to act as a next hop forrouting in your network. Configuring next hop routing to point traffic sourcesto your Secure Web Proxy instance reduces the administrative overhead ofconfiguring an explicit proxy variable for each source workload. For moreinformation about configuring next hop routing, seeDeploy Secure Web Proxy as next hop.

Solutions that Secure Web Proxy supports

Secure Web Proxy supports the following solutions.

Migration to Google Cloud

Secure Web Proxy helps you migrate to Google Cloud while keeping yourexisting security policies and requirements for egress web traffic. You canavoid using third-party solutions that require using another management consoleor manually editing configuration files.

Access to trusted external web services

Secure Web Proxy lets you apply granular access policies to your egress webtraffic so that you can secure your network. You create and identify workload orapplication identities, and then apply policies to web locations.

Monitored access to untrusted web services

You can use Secure Web Proxy to provide monitored access to untrusted webservices. Secure Web Proxy identifies traffic that doesn't conform to policyand logs it to Cloud Logging (Logging). You can then monitorinternet usage, discover threats to your network, and respond to threats.

Secure Web Proxy benefits

Secure Web Proxy provides the following benefits.

Operational time savings

Secure Web Proxy doesn't have VMs to set up and configure, doesn't requiresoftware updates to maintain security, and offers elastic scaling. After initialpolicy configuration, a regional Secure Web Proxy instance works out of thebox. Secure Web Proxy provides tools to simplify setup, testing, anddeployment so that you can focus on other tasks.

Flexible deployment

Secure Web Proxy supports basic and flexible deployments. Secure Web Proxyinstances, Secure Web Proxy policies, and URL lists are all modular objectsthat can be created or reused by distinct administrators. For example, you candeploy multiple Secure Web Proxy instances that all use the sameSecure Web Proxy policy.

Improved security

Default Secure Web Proxy configurations and policies are deny-all by default.Furthermore, Google Cloud automatically updates Secure Web Proxysoftware and infrastructure, reducing the risks of security vulnerabilities.

Supported features

Secure Web Proxy supports the following features:

• Autoscaling Secure Web Proxy Envoy proxies: Supports automaticallyadjusting the Envoy proxy pool size and the pool's capacity in a region,which enables consistent performance during high-demand periods at thelowest cost.

• Modular egress access policies: Secure Web Proxy specifically supportsthe following egress policies:

  • Source-identity based on secure tags, service accounts, or IP addresses.
  • Destinations based on URLs, hostnames.
  • Requests based on methods, headers, or URLs. URLs can be specifiedby using lists, wildcards, or patterns.

• End-to-end encryption: Client-proxy tunnels might transit over TLS.Secure Web Proxy also supports HTTP/SCONNECT for client-initiated,end-to-end TLS connections to the destination server.

• Cloud Audit Logs and Google Cloud Observability integration: Cloud Audit Logs andGoogle Cloud Observability record administrative activities and access requests forSecure Web Proxy-related resources. They also record metrics andtransaction logs for requests handled by the proxy.

Additional Google Cloud tools to consider

Google Cloud provides the following tools for your Google Clouddeployments:

• UseGoogle Cloud Armor to protectGoogle Cloud deployments from multiple threats, includingdistributed denial-of-service (DDoS) attacks and application attacks likecross-site scripting (XSS) and SQL injection (SQLi).

• SpecifyVPC firewall rules to secure connections toor from your VM instances.

• ImplementVPC Service Controls toprevent data exfiltration from Google Cloud services, such asCloud Storage and BigQuery.

• UseCloud NAT to enable unsecured outbound internetconnectivity for certain Google Cloud resources without an external IPaddress.