Overview of Cloud IAP for on-premises apps

Cloud Identity-Aware Proxy (Cloud IAP) allows you to manage access to HTTP-based apps outside of Google Cloud Platform (GCP). This includes apps on-premises in your enterprise's data centers.

To learn how to secure on-premises apps with Cloud IAP, see Setting up Cloud IAP for on-premises apps.


Cloud IAP targets on-premises apps with the Cloud IAP connector. This configurable Cloud Deployment Manager template creates the resources needed to host and deploy the Cloud IAP connector into a Cloud IAP-enabled GCP project, forwarding authenticated and authorized requests to on-premises apps.

The configurable Cloud Deployment Manager template creates the following resources:

  • A Google Kubernetes Engine cluster that maintains Ambassador-based services.
  • A Cloud Load Balancing HTTP(S) load balancer that acts as the ingress controller for requests.
  • Routing rules.

A deployment can have multiple Ambassador-created Compute Engine backend services that run behind one HTTP(s) load balancer. Each backend service maps to an individual on-premises app.

Once the Cloud IAP connector is deployed, Cloud IAP secures your app with identity and context based Cloud Identity and Access Management (Cloud IAM) access policies. Because a Cloud IAM access policy is configured on the backend service resource level, you're able to have different access control lists for each of your on-premises apps. This means only one GCP project is needed to manage access to multiple on-premises apps.

How Cloud IAP for on-premises apps works

When a request is sent to an app hosted on GCP, Cloud IAP authenticates and authorizes the user requests. It then grants the user access to the GCP app.

When a request is sent to an on-premises app, Cloud IAP authenticates and authorizes the user request. It then routes the request to the Cloud IAP connector. The Cloud IAP connector forwards the request through a site-to-site connection established with Cloud Interconnect from GCP to the on-premises network.

The following diagram shows the high-level traffic flow of a web request for a GCP app (app1) and an on-premises app (app2).

Routing rules

When configuring a Cloud IAP connector deployment, you configure the routing rules. These rules route authenticated and authorized web requests coming to your DNS hostname ingress point to the DNS hostname that's the destination.

The following is an example of routing parameters defined for a Cloud IAP connector Cloud Deployment Manager template.

     - name: hr
        - name: host
          source: www.hr-domain.com
          destination: hr-internal.domain.com
        - name: sub
          source: sheets.hr-domain.com
          destination: sheets.hr-internal.domain.com
     - name: finance
        - name: host
          source: www.finance-domain.com
          destination: finance-internal.domain.com
  • Each routing name corresponds to a new, Ambassador-created Compute Engine backend service resource.
  • The mapping parameter specifies a list of Ambassador routing rules for a backend service.
  • The source of a routing rule is mapped to a destination, where source is the URL of requests coming to GCP, and destination is the URL for your on-premises app that Cloud IAP routes traffic to after a user has been authorized and authenticated.

The following table demonstrates example rules to route incoming requests from www.hr-domain.com to hr-internal.domain.com:

Compute Engine backend service Routing rule name Source Destination
hr hr-host www.hr-domain.com hr-internal.domain.com
hr-sub sheets.hr-domain.com sheets.hr-internal.domain.com
finance finance-host www.finance-domain.com finance-internal.domain.com

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Identity-Aware Proxy Documentation