Using Egress Proxy in Multi Region (Secure Web Proxy/SWP)

By default egress traffic from workloads in multi-region (MR) instance clusters is blocked due to security compliance. Workloads that need to make HTTP/S calls to external (non-GCP) hosts can use the Secure Web Proxy (SWP) to do so.

SWP is available on MR instance clusters (s-us1-01, p-us1-01). At this time it is not available on eu1 (gap-staging/gap-production) clusters.

How the Proxy Works

Your workload connects to proxy.internal:3128 — a Google-managed Secure Web Proxy (SWP) deployed per region. SWP only allows traffic to domains that are explicitly listed in URL allow-lists. All other egress is denied.

HTTPS traffic uses HTTP CONNECT tunneling — SWP sees the target hostname but cannot inspect the encrypted payload
Google APIs (.googleapis.com) should NOT go through the proxy — they use Private Google Access directly. This is handled by the NO_PROXY variable.
Suite Suites in the same instance count as external service and need

Language-Specific Caveats

Not all runtimes honor HTTP_PROXY/HTTPS_PROXY out of the box. See the Proxy Environment Variable Support — Language overview for the most used tools.

Requesting Access to External URLs

Quick path:

Check the existing URL allow-lists in infra-hub/network/multiregion/datasets/_shared/swp/url-lists/ — your domain might already be allowed
If not listed, create a Jira ticket in GAP with the domains to add (syntax per Google URL list reference)
Include in the ticket:
- the domain(s) you need allowed (e.g. api.example.com, *.vendor.io)
- which application / namespace needs access
- brief reason (e.g. “webhook delivery to partner API”)

Configuration

HTTP_PROXY="http://proxy.internal:3128"
HTTPS_PROXY="http://proxy.internal:3128"
NO_PROXY="169.254.169.254,fd20:ce::254,127.0.0.1,localhost,.svc,.cluster.local,metadata,metadata.google.internal,.googleapis.com"

The gap.yaml contains some shortcuts to inject this configuration.

Set the following variables in your gap.yaml which will apply to all workload resources (Deployment, cronjob, pre/post deploy) in the application:

useProxyEnvVars: true

This option can be set or overridden per workload:

useProxyEnvVars: true
deployments:
  web:
    command: ["nginx", "-g", "daemon off;"]
    useProxyEnvVars: false

If you need to set proxy environment variables to custom values (e.g. on eu1 legacy clusters where SWP is not available), use the env field directly instead of useProxyEnvVars:

env:
  HTTP_PROXY: "http://some-other-proxy:3128"
  HTTPS_PROXY: "http://some-other-proxy:3128"
  NO_PROXY: "169.254.169.254,fd20:ce::254,127.0.0.1,localhost,.svc,.cluster.local,metadata,metadata.google.internal,.googleapis.com"

Do not set NO_PROXY, HTTP_PROXY or HTTPS_PROXY or their lower case versions when useProxyEnvVars is set to true as it results in a failure during helm template rendering. If you need to set them, set useProxyEnvVars to false and set the proxy environment variables manually as shown above.

Troubleshooting

Symptom	Likely Cause	What to Do
Connection timeout to external host	Domain not in SWP URL allow-list	Check existing URL lists. File a GAP Jira ticket to add the domain.
Google API calls fail when proxy is enabled	`NO_PROXY` missing `.googleapis.com` or `metadata.google.internal`	Ensure you’re using the full `NO_PROXY` value shown above. Do not remove any entries.
HTTPS works in `curl` but not in your app	Runtime doesn’t honor proxy env vars	See the language support matrix. Java, Node.js, PHP need extra configuration.
Manifest generation failure	Both `useProxyEnvVars: true` and manual proxy env vars set	Use one or the other — not both. See warning above.

If you suspect your traffic is being blocked by SWP, proxy transaction logs accessible in Cloud Logging in the relevant instance project ems-base-infra-net-{env}-{instance}.