Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Deploy SWG Instance Using Skyhigh Image

  1. Last updated
  2. Save as PDF


Perform the steps below to get a CLI command to start a Google Cloud Instance using the custom image from the Skyhigh project.

Prerequisites
  • Install G-Cloud CLI.
  • Log in to the G-Cloud using the CLI and select the project to start the SWG instance. 

NOTE: G-Cloud CLI is recommended on Linux; the generated commands are compatible with Linux shells. On Windows, modify the command as needed. GCP images are deployed with only the single root partition, irrespective of the allocated device space.

Generate a CLI Command to Start a SWG GCP Instance
  1. On the home page, click Create a VM.

1_1.png

Create an instance page opens. 
Make sure you have selected an existing project or created a new project before proceeding with instance creation.

2.png

  1. Under the Machine configuration tab, enter the Name, and select the Region and Zone from the respective drop-down lists.

2_1.png

  1. Select the required Machine type from the list. For more information on the recommended VM size, see Physical and Virtual Appliance Requirements.

4.png

NOTE: The Machine type cannot be modified once the instance is deployed. Auto scaling is not supported.

  1. Under the OS and storage tab, click Change.
    In the Public images tab, configure the following: 
    • Operating System - Debian
    • Version - Debian GNU/Linux 12 (bookworm)
    • Boot disk type*: select the appropriate disk type. 
    • Size (GB) - 500 

NOTE:

  • Operating System and Version are selected as a placeholder for the SWG image and will be changed in the CLI command. 
  • When running Secure Web Gateway as an instance in a GCP environment, web caching is disabled; you can choose to reduce the required hard-disk space for the VM. Skyhigh does not support changing the disk size once the instance is deployed. 

2025-07-02_20-24-01_1.png

  1. Under the Data protection tab, configure the required settings. 

image (10).png

  1. Under the Networking tab, configure settings such as firewall rules, network, and subnets. Create firewall rules to allow ports 4712 and 9090 for the Secure Web Gateway.

image (11).png

  1. Under the Security tab, configure the required settings.

NOTE: Make sure Turn on Secure Boot, Turn on vTPM, and Turn on Integrity Monitoring checkbox are unchecked. 

2025-07-02_21-24-01_11.png

  • For VM access, go to Manage access > +Add Item, enter the SSH public key, and specify an SSH username (for example, admin) in the SSH Key 1* field for the instance.

2025-07-03_09-08-55_1.png

  1. Under the Advanced tab, configure the required settings and enter the startup script if there is any. 

image (15)_11.png

  1. Complete all configuration settings, and click Equivalent code.

image (16)_11.png

  1. Copy the Equivalent code for the selected configuration, and paste it into any text editor. 

image (16)_111.png

 NOTE: The generated command varies based on the configuration options selected in the previous steps. Additional parameters appear depending on the selected setup. For additional details, see gcloud compute instances create, a third-party resource providing the complete, official gcloud documentation.

  1. Update the project name to svc-swg-prod-05 , and change the image name under create-disk > image value to SWG GCP image. 
    For example: --create-disk=auto-delete=yes,boot=yes,device-name=instance-from-prod-image-1,image=projects/svc-swg-prod-05/global/images/swg-12-2-18-54125,mode=rw,size=500,type=pd-balanced \.

sample command: 

gcloud compute instances create instance-from-prod-image-1 \
    --project=svc-swg-dev-05 \
    --zone=asia-south1-b \
    --machine-type=e2-standard-4 \
    --network-interface=stack-type=IPV4_ONLY,subnet=projects/host-fullmesh-gcp5/regions/asia-south1/subnetworks/svc-swg-dev-05-dev-purple-purple-a-vm-asia-south1-1,no-address \
    --metadata=enable-osconfig=TRUE,startup-script=\#\!/bin/bash\ \
$'\n'echo\ test\ \>\ /tmp/test.txt,ssh-keys=admin:ssh-ed25519\ AAAAC3NzaC1lZDI1NTE5AAAAIKR/t1IT98qSMv3Ok3ruzTnxoDlHXllRzcD3w047GsxS\ admin \
    --maintenance-policy=MIGRATE \
    --provisioning-model=STANDARD \
    --service-account=688123955600-compute@developer.gserviceaccount.com \
    --create-disk=auto-delete=yes,boot=yes,device-name=instance-from-prod-image-1,image=projects/svc-swg-prod-05/global/images/swg-12-2-18-54125,mode=rw,size=500,type=pd-balanced \
    --reservation-affinity=any

NOTE: Refer to the Content & Cloud Security Portal for the project and image name. 

  1. Run the copied code in the active G-Cloud CLI session.

    image (21).png
  2. Wait for the instance to initialize. 

NOTE: Secure Web Gateway on GCP currently supports only explicit proxy mode and no HA or transparent modes, including L2 Transparent.

  1. Navigate to Compute Engine > VM instances to verify the instance is running. 

image (17)_1.png

image (46)_1.png

  1. Connect to the instance using SSH.
    Command format: SSH -i <private_key> <username>@<public_ip>.

image.png

Run bash /usr/local/bin/ssh-banner.sh command to get the SSH banner if it's not displaying. 

  1. After copying the CLI command using the Equivalent Code option, click Cancel in the UI to stop the instance creation and avoid duplication.

extra.png

 

 

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.