This page describes best practices for using Cloud Identity-Aware Proxy (Cloud IAP).
- Don't use a third-party CDN in front of your application. CDNs may cache
content and serve cached pages to unauthentiated users.
- If you have large, non-sensitive resources that you want to serve from a
CDN, use a separate domain such as
images.yourapp.comfor these resources. Use the CDN with that domain and add the
Cache-control: privateHTTP response header to all objects that should only be served to authenticated users.
- If you have large, non-sensitive resources that you want to serve from a CDN, use a separate domain such as
Securing your app
To properly secure your app, you must use signed headers for App Engine flexible environment Beta, Compute Engine, and GKE applications. Signed headers aren't supported for App Engine standard environment applications. Instead, those applications should use the approach described in getting the user's identity. Read about how to secure your app with signed headers.
Configuring your firewall
Make sure all requests to Compute Engine or GKE are routed through
the load balancer:
- Configure a firewall rule to allow health checking and make sure that all traffic to your Virtual Machine (VM) is from a Google Front End (GFE) IP.
- For additional protection, check the source IP of requests in your app to make sure they're from the same IP range that the firewall rule allows.
In the GCP Console, Cloud IAP displays an error or warning if your firewall
rules appear to be set up incorrectly. The Cloud IAP GCP Console doesn't
detect which VM is used for each service, so the firewall analysis doesn't include advanced
features like non-default networks and firewall rule tags. To bypass this analysis, enable
Cloud IAP through the
gcloud compute backend-services updatecommand.