Use identity and context to sign in to apps and VMs
Cloud Identity-Aware Proxy (Cloud IAP) controls access to your cloud applications and VMs running on Google Cloud Platform (GCP). Cloud IAP works by verifying user identity and context of the request to determine if a user should be allowed to access an application or a VM. Cloud IAP is a building block toward BeyondCorp, an enterprise security model that enables every employee to work from untrusted networks without the use of a VPN.
Simpler for cloud admins
Add secure web access to an application in less time than it takes to implement a VPN. Let your developers focus on their application logic, while Cloud IAP takes care of authentication and authorization. Only authenticated users are granted access to the application.
Simpler for remote workers
End users point their web browser to an internet-accessible URL to access Cloud IAP-secured applications. No VPN client is required.
Administrators can create granular access control policies for applications hosted on GCP, other clouds, and on-premises based on attributes like user identity, device security status, and IP address. Cloud IAP is a key component in Google Cloud’s context-aware access solution.
Secure access administration
Configure a single layer of security to manage user access to cloud applications. Administrators can improve security with Security Key Enforcement to prevent phishing.
Controls access without VPN
Manage access to your apps and VMs based on a user’s identity and context of the request (e.g. device status, location) without VPN. Powered by Google Cloud’s context-aware access.
Saves admin time
Faster to deploy than a VPN. Once deployed, Cloud IAP provides a single point of control for managing user access to web applications.
Works with cloud and on-premises apps
Cloud IAP can protect access to applications hosted on GCP, other clouds, and on-premises.
Saves end user time
Faster to sign into than a VPN. No VPN client login.
Deploys in minutes
Let your developers focus on their application logic, while Cloud IAP takes care of authentication and authorization.
Protects your apps and VMs
With the new TCP forwarding feature, Cloud IAP can now protect SSH and RDP access to your VMs hosted on GCP. Your VM instances don't even need public IP addresses.
There is no charge for using Cloud IAP. However, when used with Compute Engine, the required load balancing and firewall configuration may incur additional costs. Read more about load balancing and protocol forwarding pricing in the Compute Engine pricing guide.
Learn and build
New customers get $300 in free credits to learn and build on Google Cloud for up to 12 months.
Need more help?
Our experts will help you build the right solution or find the right partner for your needs.