Secure Web Proxy policies are based on two parameters:
- Traffic source: to identify the traffic source, Secure Web Proxy uses attributes such as service accounts, Tags, and IP addresses.
- Allowed destination: to determine the allowed destinations, Secure Web Proxy uses a domain, a full URL path (if TLS inspection is enabled), URL lists, or the destination port.
By default, Secure Web Proxy is set to deny any egress traffic through the proxy unless you include a specific rule in the policy.
Use the following attributes to let Secure Web Proxy identify the traffic source:
Supported features
Source identity-based security policies (service accounts and secure tags) are used to secure web traffic for different Google Cloud services. The following tables describe the support of both source resources and different Virtual Private Cloud (VPC) architectures when source identity-based security policies are used.
| Source | Service account support | Secure tag support |
|---|---|---|
| VM | ||
| GKE node | ||
| GKE container | * | * |
| Direct VPC for Cloud Run | * | |
| Serverless VPC Access connector | † | † |
| Cloud VPN | * | * |
| Cloud Interconnect on premises | * | * |
| Application Load Balancer | ||
| Network Load Balancer |
* Not supported by Google Cloud.
† Source IP address is unique and can be used instead.
† Source IP address is unique and can be used instead.
| VPC | VPC architecture | Support |
|---|---|---|
| Within VPC | Cross project (Shared VPC) | |
| Within VPC | Cross region | |
| Cross VPC | Cross peering link (peer VPC) | |
| Cross VPC | Cross Private Service Connect | |
| Cross VPC | Cross Network Connectivity Center spokes |