Best practices

This page describes best practices for using Identity-Aware Proxy (IAP).


  • Don't use a third-party CDN in front of your application. CDNs may cache content and serve cached pages to unauthenticated users.
    • If you have large, non-sensitive resources that you want to serve from a CDN, use a separate domain such as for these resources. Use the CDN with that domain and add the Cache-control: private HTTP response header to all objects that should only be served to authenticated users.

Securing your app

To properly secure your app, you must use signed headers for App Engine flexible environment Beta, App Engine standard environment, Compute Engine, and GKE applications.

Configuring your firewall

  • Make sure all requests to Compute Engine or GKE are routed through the load balancer:
    • Configure a firewall rule to allow health checking and make sure that all traffic to your Virtual Machine (VM) is from a Google Front End (GFE) IP.
    • For additional protection, check the source IP of requests in your app to make sure they're from the same IP range that the firewall rule allows.
  • In the Cloud Console, IAP displays an error or warning if your firewall rules appear to be set up incorrectly. The IAP Cloud Console doesn't detect which VM is used for each service, so the firewall analysis doesn't include advanced features like non-default networks and firewall rule tags. To bypass this analysis, enable IAP through the gcloud compute backend-services update command.