Apply BeyondCorp Enterprise to cloud resources

This page walks through the high level steps of applying BeyondCorp Enterprise to your Google Cloud and on-premises resources.

For information about how BeyondCorp Enterprise leverages other Google Cloud offerings, see the BeyondCorp Enterprise access protection overview.

Before you begin

Before you make your apps and resources context-aware, you'll need to:

  1. If you don't already have Cloud Identity user accounts in your organization, create a few Cloud Identity accounts.

  2. Determine a resource you want to protect. Configure one of the following if you don't have a resource.

    • A web app running behind an HTTPS load balancer on Google Cloud. This includes web apps like App Engine apps, apps running on-premises, and apps running in another cloud.
    • A virtual machine on Google Cloud.
  3. Determine principals that you want to grant and limit access to.

If you're interested in securing Google Workspace apps, see the Google Workspace BeyondCorp Enterprise overview.

Securing your apps and resources with IAP

Identity-Aware Proxy (IAP) establishes a central identity awareness layer for apps and resources accessed by HTTPS and TCP. This means you can control access on each individual app and resource instead of using network-level firewalls.

Secure your Google Cloud app and all its resources by selecting one of the following guides:

You can also extend IAP to non-Google Cloud environments like on-premises as well as other clouds. To learn more, see the Securing on-premises apps guide.

For more information, see the IAP documentation.

Virtual machine resources

You can control access to administrative services like SSH and RDP on your backends by setting tunnel resource permissions and creating tunnels that route TCP traffic through IAP to virtual machine instances.

To secure a virtual machine, see the Securing virtual machines guide.

Creating an access level with Access Context Manager

Once you've secured your apps and resources with IAP, it's time to set richer access policies with access levels.

Access Context Manager creates access levels. Access levels can limit access based on the following attributes:

Create an access level by following the Creating an access levels guide.

Applying access levels

An access level doesn't take effect until you apply it on a IAP-secured resources' Identity and Access Management (IAM) policy. This step is done by adding an IAM Condition on the IAP role used to grant access to your resource.

To apply your access level, see applying access levels.

Once you've applied your access level, your resources are now secured with BeyondCorp Enterprise.

Enabling device trust and security with Endpoint Verification

To further strengthen the security of your BeyondCorp Enterprise secured resources, you can apply device-based trust and security access control attributes with access levels. Endpoint Verification enables this control.

Endpoint Verification is a Chrome extension for Windows, Mac, and Chrome OS devices. Access Context Manager references the device attributes gathered by Endpoint Verification to enforce fine grained access control with access levels.

Follow the Endpoint Verification quickstart to set up Endpoint Verification for your organization.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.

What's next