Use identity and context to sign in to apps and VMs
Identity-Aware Proxy (IAP) can help you control access to your cloud and on-prem applications and VMs running on Google Cloud Platform (GCP). IAP works by verifying user identity and context of the request to determine if a user should be allowed to access an application or a VM. IAP is a building block toward zero trust access, an enterprise security model that enables every employee to work from untrusted networks without the use of a VPN (e.g. Google's BeyondCorp implementation).
Simpler for cloud admins
Add secure web access to an application in less time than it takes to implement a VPN. Let your developers focus on their application logic, while IAP takes care of authentication and authorization. Only authenticated users are granted access to the application.
Simpler for remote workers
End users point their web browser to an internet-accessible URL to access IAP-secured applications. No VPN client is required.
Administrators can create granular access control policies for applications hosted on GCP, other clouds, and on-premises based on attributes like user identity, device security status, and IP address. IAP is a key component in Google Cloud’s context-aware access solution.
Secure access administration
Configure a single layer of security to manage user access to cloud applications. Administrators can improve security with Security Key Enforcement to prevent phishing.
Controls access without VPN
Manage access to your apps and VMs based on a user’s identity and context of the request (e.g. device status, location) without VPN. Powered by Google Cloud’s context-aware access.
Saves admin time
Faster to deploy than a VPN. Once deployed, IAP provides a single point of control for managing user access to web applications.
Works with cloud and on-premises apps
IAP can protect access to applications hosted on GCP, other clouds, and on-premises.
Saves end user time
Faster to sign into than a VPN. No VPN client login.
Deploys in minutes
Let your developers focus on their application logic, while IAP takes care of authentication and authorization.
Protects your apps and VMs
With the new TCP forwarding feature, IAP can now protect SSH and RDP access to your VMs hosted on GCP. Your VM instances don't even need public IP addresses.
There is no charge for using IAP. However, when used with Compute Engine, the required load balancing and firewall configuration may incur additional costs. Read more about load balancing and protocol forwarding pricing in the Compute Engine pricing guide.