This page describes how to enable Transport Layer Security (TLS) inspectionfor your Secure Web Proxy instance.
Before you begin
Before you configure Secure Web Proxy for TLS inspection,complete the tasks in the following sections.
Enable CAS
Secure Web Proxy usesCertificate Authority Service (CAS)to generate the certificates used for TLS inspection.
To enable CAS, use the following command:
gcloud services enable privateca.googleapis.com
Create a CA pool
You must create a certificate authority (CA) pool before you can use CAS tocreate a CA. This section walks you through the permissions that you need tocomplete this task and then describes how to create a CA pool.
To generate certificates, TLS inspection uses a separate service account foreach project calledservice-{project ID}@gcp-sa-certmanager.iam.gserviceaccount.com
.Make sure that you have granted permissions to this service account to useyour CA pool. If this access is revoked, TLS inspection stops working.
Permissions required for this task
To perform this task, you must have been granted the following permissions or IAM roles.
Permissions
networksecurity.tlsInspectionPolicies.create
networksecurity.tlsInspectionPolicies.get
networksecurity.tlsInspectionPolicies.list
networksecurity.tlsInspectionPolicies.delete
networksecurity.tlsInspectionPolicies.update
Roles
- Compute Network Admin (
roles/compute.networkAdmin
) - Certificate Manager Editor (
roles/certificatemanager.editor
) - Optional: Security Policy Admin (
roles/compute.orgSecurityPolicyAdmin
)
To create the pool, use the gcloud privateca pools create
command and specify the subordinate pool ID, tier, project ID, and location.
gcloud privateca pools create SUBORDINATE_POOL_ID
--tier=TIER
--project=PROJECT_ID
--location=REGION
Replace the following:
SUBORDINATE_POOL_ID
: the name of the CA poolTIER
: the CA tier, eitherdevops
orenterprise
We recommend that you create the CA pool in the
devops
tier because tracking individually issued certificates is unnecessary.PROJECT_ID
: the ID of the CA pool projectREGION
: the location of the CA pool
Create a subordinate CA pool
You can create a subordinate CA pool, and the root CA signs all ofthe CAs in that pool. These certificates are used to sign servercertificates generated for TLS inspection.
To create a subordinate pool, use any of the following methods.
Create a subordinate CA pool by using an existing root CA stored within CAS
To generate a subordinate CA, do the following:
- Create a CA pool.
- Create subordinate CAs within a CA pool.
Create a subordinate CA pool by using an existing root CA held externally
To generate a subordinate CA, do the following:
- Create a CA pool.
- Create subordinate CAs signed by an external root CA.
Create a root CA
If you do not have an existing root CA, you can create one within CAS.To create a root CA, do the following:
- Create a root CA.
- Follow the steps in Create a subordinate CA pool by using an existing root CA stored within CAS.
For more information about CA pools, see theCertificate Authority Service documentation.
Create a service account
If you do not have a service account, you must create one and grantthe required permissions.
Create a service account:
gcloud beta services identity create \ --service=networksecurity.googleapis.com \ --project=PROJECT_ID
In response, the Google Cloud CLI creates a service account called
service-{project ID}@gcp-sa-networksecurity.iam.gserviceaccount.com
.For the service account that you created, grant permissions to generatecertificates with your CA pool:
gcloud privateca pools add-iam-policy-binding CA_POOL \ --member='serviceAccount:SERVICE_ACCOUNT' \ --role='roles/privateca.certificateManager' \ --location='REGION'
Configure Secure Web Proxy for TLS inspection
You can only proceed with the tasks in this section after you have completedthe prerequisite tasks listed in the Before you begin section.
To configure TLS inspection, complete the tasks in the following sections.
Create a TLS inspection policy
Create the file
TLS_INSPECTION_FILE
.yaml. ReplaceTLS_INSPECTION_FILE
with your desired filename.Add the following code to the YAML file to configure the desiredTlsInspectionPolicy:
name: projects/PROJECT_ID/locations/REGION/tlsInspectionPolicies/TLS_INSPECTION_NAMEcaPool: projects/PROJECT_ID/locations/REGION/caPools/CA_POOL
Replace the following:
PROJECT_ID
: the project numberREGION
: the region to create the policy inTLS_INSPECTION_NAME
: the name of theSecure Web Proxy TLS inspection policyCA_POOL
: the name of the CA pool to createthe certificates fromThe CA pool must exist within the same region.
Import the TLS inspection policy
Import the TLS inspection policy that you created in the previous step:
gcloud network-security tls-inspection-policies import TLS_INSPECTION_NAME \ --source=TLS_INSPECTION_FILE.yaml \ --location=REGION
Add the TLS inspection policy to the security policy
Console
Create the web proxy policy
In the Google Cloud console, go to the Network Security page.
Go to Network Security
Click Secure Web Proxy.
Click the Policies tab.
Click Create a policy.
Enter a name for the policy that you want to create, such as
myswppolicy
.Enter a description of the policy, such as
My new swp policy
.In the Regions list, select the region where you want to create the Secure Web Proxy policy.
To configure TLS inspection, select Configure TLS inspection.
In the TLS inspection policy list, select the TLS inspection policy that you created.
If you want to create rules for your policy, click Continue, and then click Add rule. For details, see Create Secure Web Proxy rules.
Click Create.
Create the web proxy rules
In the Google Cloud console, go to the Network Security page.
Go to Network Security
Click Secure Web Proxy.
In the project selector menu, select your organization ID or the folder that contains your policy.
Click the name of your policy.
Click Add rule.
Populate the rule fields:
- Name
- Description
- Status
- Priority: the numeric evaluation order of the rule. The rules areevaluated from highest to lowest priority where
0
is the highestpriority. - In the Action section, specify whether connections that matchthe rule are allowed (Allow) or denied (Deny).
- In the Session Match section, specify the criteria formatching the session. For more information about the syntax for
SessionMatcher
, see theCEL matcher language reference. - To enable TLS inspection, select Enable TLS inspection.
- In the Application Match section, specify the criteria formatching the request. If you do not enable the rule for TLSinspection, then the request can only match HTTP traffic.
- Click Create.
Click Add rule to add another rule.
Click Create to create the policy.
Set up a web proxy
In the Google Cloud console, go to the Network Security page.
Go to Network Security
Click Secure Web Proxy.
Click the Web proxies tab.
Click Set up a web proxy.
Enter a name for the web proxy that you want to create, such as
myswp
.Enter a description of the web proxy, such as
My new swp
.In the Regions list, select the region where you want to create the web proxy.
In the Network list, select the network where you want to create the web proxy.
In the Subnetwork list, select the subnetwork where you want to create the web proxy.
Enter the web proxy IP address.
In the Certificate list, select the certificate that you want to use to create the web proxy.
In the Policy list, select the policy that you created to associate the web proxy with.
Click Create.
Cloud Shell
Create the file
policy.yaml
:description: basic Secure Web Proxy policy name: projects/PROJECT_ID/locations/REGION/gatewaySecurityPolicies/policy1 tlsInspectionPolicy: projects/PROJECT_ID/locations/REGION/tlsInspectionPolicies/TLS_INSPECTION_NAME
Create the Secure Web Proxy policy:
gcloud network-security gateway-security-policies import policy1 \ --source=policy.yaml --location=REGION
Create the file
rule.yaml
:name: projects/PROJECT_ID/locations/REGION/gatewaySecurityPolicies/policy1/rules/allow-example-com description: Allow example.com enabled: true priority: 1 basicProfile: ALLOW sessionMatcher: host() == 'example.com' applicationMatcher: request.path.contains('index.html') tlsInspectionEnabled: true
Create the security policy rule:
gcloud network-security gateway-security-policies rules import allow-example-com \ --source=rule.yaml \ --location=REGION \ --gateway-security-policy=policy1
To attach a TLS inspection policy to an existing security policy, create the file
POLICY_FILE
.yaml. ReplacePOLICY_FILE
with your desired filename.description: My Secure Web Proxy policy name: projects/PROJECT_ID/locations/REGION/gatewaySecurityPolicies/POLICY_NAME tlsInspectionPolicy: projects/PROJECT_ID/locations/REGION/tlsInspectionPolicies/TLS_INSPECTION_NAME
What's next?
- Use a URL list to create policies