Apply BeyondCorp Enterprise to cloud resources
This page walks through the high level steps of applying BeyondCorp Enterprise to your Google Cloud and on-premises resources.
For information about how BeyondCorp Enterprise leverages other Google Cloud offerings, see the BeyondCorp Enterprise access protection overview.
Before you begin
Before you make your apps and resources context-aware, you'll need to:
Determine a resource you want to protect. Configure one of the following if you don't have a resource.
- A web app running behind an HTTPS load balancer on Google Cloud. This includes web apps like App Engine apps, apps running on-premises, and apps running in another cloud.
- A virtual machine on Google Cloud.
Determine principals that you want to grant and limit access to.
If you're interested in securing Google Workspace apps, see the Google Workspace BeyondCorp Enterprise overview.
Securing your apps and resources with IAP
Identity-Aware Proxy (IAP) establishes a central identity awareness layer for apps and resources accessed by HTTPS and TCP. This means you can control access on each individual app and resource instead of using network-level firewalls.
Secure your Google Cloud app and all its resources by selecting one of the following guides:
You can also extend IAP to non-Google Cloud environments like on-premises as well as other clouds. To learn more, see the Securing on-premises apps guide.
For more information, see the IAP documentation.
Virtual machine resources
You can control access to administrative services like SSH and RDP on your backends by setting tunnel resource permissions and creating tunnels that route TCP traffic through IAP to virtual machine instances.
To secure a virtual machine, see the Securing virtual machines guide.
Creating an access level with Access Context Manager
Once you've secured your apps and resources with IAP, it's time to set richer access policies with access levels.
Access Context Manager creates access levels. Access levels can limit access based on the following attributes:
- IP subnetworks
- Access level dependency
- Device policy (Note that Endpoint Verification must be set up.)
Create an access level by following the Creating an access levels guide.
Applying access levels
An access level doesn't take effect until you apply it on a IAP-secured resources' Identity and Access Management (IAM) policy. This step is done by adding an IAM Condition on the IAP role used to grant access to your resource.
To apply your access level, see applying access levels.
Once you've applied your access level, your resources are now secured with BeyondCorp Enterprise.
Enabling device trust and security with Endpoint Verification
To further strengthen the security of your BeyondCorp Enterprise secured resources, you can apply device-based trust and security access control attributes with access levels. Endpoint Verification enables this control.
Endpoint Verification is a Chrome extension for Windows, Mac, and Chrome OS devices. Access Context Manager references the device attributes gathered by Endpoint Verification to enforce fine grained access control with access levels.
Follow the Endpoint Verification quickstart to set up Endpoint Verification for your organization.
To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.
- Set up Cloud Audit Logs