Policies and rules

This page explains how to configure rules for your outbound web traffic with Secure Web Proxy. You can control which traffic is allowed or denied based on various criteria, ensuring only authorized traffic leaves your network. Secure Web Proxy provides two primary mechanisms for defining these controls: authorization policies and gateway security policies.

Authorization policies provide a flexible framework to secure your outbound traffic. You can use these policies to enable fine-grained controls, including identity-based and content-based policies, and support delegation to external authorization engines by using Service Extensions.

Gateway security policies are the foundation to define security rules in Secure Web Proxy. They allow or deny requests based on source identity—such as service accounts or secure tags—and destination attributes, such as URL lists.

Use the appropriate policy type

Secure Web Proxy lets you manage outbound traffic by using either an authorization policy or a gateway security policy. You can't use both policy types on the same gateway.

Choose a policy type based on your requirements:

  • Authorization policy: use this policy type for features such as custom authorization extensions by using Service Extensions or frontend mTLS.

    If you want to adopt these features for an existing deployment, then you must migrate your rules for outbound traffic from your gateway security policy to an authorization policy.

  • Gateway security policy: use this policy type if you require either standard connection-level filtering based on source identity and destination attributes or URL lists in your policy. Gateway security policies don't support using features such as custom authorization extensions or frontend mTLS.

Authorization policies

Authorization policies let you establish identity-based access control checks when processing outbound requests through Secure Web Proxy. You can configure authorization policies (AuthzPolicy) to validate the identity of a source workload or agent that accesses the internet.

An authorization policy lets you specify conditions to allow, deny, or delegate request authorization based on their source, destination, and other request attributes. Requests that pass these checks are forwarded to the web destination. Requests that fail are rejected with a 403 Forbidden error.

For Secure Web Proxy, you can attach authorization policies to your gateway resource to define the security perimeter for your outbound traffic and evaluate authorization policy rules in Secure Web Proxy. In addition, you can configure Secure Web Proxy to delegate authorization decisions to an external authorization engine by using Service Extensions (authorization extensions).

For more information about how to configure authorization policies, see Set up authorization policies for Secure Web Proxy.

Authorization policies provide the following benefits over standard gateway security policies:

  • Consistent policy surface: use the unified AuthzPolicy API to manage traffic authorization for Secure Web Proxy along with other services such as Application Load Balancer and Cloud Service Mesh (CSM).

  • Service Extensions support: use Service Extensions to delegate authorization decisions to your custom logic. You can use authorization extensions to perform request-level authorization (based on headers, identity, and more) and content sanitization (such as sensitive data protection or threat detection).

  • Identity-centric security: while still supporting IP-based rules, authorization policies provide a more robust security posture by letting you enforce controls based on identity. You can define your security perimeter by using service accounts, tags, or frontend mutual TLS. You can also use Service Extensions to delegate authorization decisions to identity-based services like Identity-Aware Proxy.

Gateway security policies and rules

A gateway security policy is the core security item that defines access controls for all outbound web traffic.

Gateway security policies include the following key features:

  • Policy control: a policy contains the gateway security rules that the proxy uses to allow or deny a web request. You can create a single policy and reuse it across multiple Secure Web Proxy instances to keep your security rules consistent and efficient.

  • Secure by default: gateway security policies are deny-all by default. The proxy blocks every HTTP and HTTPS request until you create a specific rule to permit it. This enforces a zero-trust architecture from the start.

  • Policy logic: every policy is built on two core checks: determine the traffic source and verify the allowed destination.

A gateway security rule is an instruction in a gateway security policy that matches and defines the final action: allow or deny.

Your Secure Web Proxy instance evaluates rules based on priority, with the lowest number checked first. The proxy stops and acts on the first rule that matches the request.

  • Session Matcher: checks basic information about the network connection as it's being set up. Session Matcher includes the following items:

    • Source identity (service account or secure tag)
    • Destination hostname (the domain name)
    • Destination port

  • Application Matcher: inspects the content of the actual web request. It's typically used to ensure granular control and requires TLS inspection to check encrypted traffic. Application Matcher includes the following items:

    • Full URL path
    • Request method—for example, block all DELETE actions
    • Specific HTTP headers

Limitations

When you configure policies in Secure Web Proxy, the following limitations apply:

  • Gateway security policies: these policies don't support authorization extensions. Advanced capabilities like using custom logic or delegating authorization decisions to external services are available only through authorization policies.

  • Authorization policies: these policies don't support URL lists or regular expression (regex) matching for URL strings.

What's next