This guide explains how to secure an HTTP-based, on-premises app outside of Google Cloud Platform (GCP) with Cloud Identity-Aware Proxy (Cloud IAP) by deploying a Cloud IAP connector.
For more information on how Cloud IAP secures on-premises apps, see the Cloud IAP for on-premises apps overview.
Before you begin
Before you begin, you'll need the following:
- Have the Google Cloud SDK installed.
- An HTTP-based, on-premises app that's accessible through a DNS hostname and accepts HTTPS traffic. Note that each on-premises app needs its own Cloud IAP instance.
- Established site-to-site VPN with GCP and your on-premises app
using Cloud Interconnect if your app isn't publicly accessible.
- Learn how to set up Cloud Interconnect.
- A Cloud Identity member granted the Owner role on your GCP project.
- A GCP project with billing and the following APIs enabled.
- The DNS hostname to use as the ingress point for traffic to
GCP. For example,
- The DNS hostname of your on-premises app. For example,
- An SSL or TLS certificate for the DNS hostname that is used as the ingress point for traffic to GCP. An existing self-managed or Google-managed certificate can be used. If you don't have a certificate, create one using Let's Encrypt.
Creating a Cloud IAP connector deployment
A Cloud IAP connector is a Cloud Deployment Manager template that creates the resources and routing rules needed to forward requests that have been authenticated and authorized by Cloud IAP to your on-premises app. The following sections walk through configuring and deploying a Cloud IAP connector.
To deploy a Cloud IAP connector, your GCP project's Google APIs Service Agent account needs the Kubernetes Engine Admin role. This service account allows Cloud Deployment Manager to create a Google Kubernetes Engine (GKE) cluster and all the resources running in it.
To grant the Kubernetes Engine Admin role on the Google APIs Service Agent account:
- Go to the Cloud IAM page.
Go to the Cloud IAM page
- Edit the permissions of the
PROJECT_NUMBER@cloudservices.gserviceaccount.commember by clicking the Edit member button.
- Click Add another role and select Kubernetes > Kubernetes Engine Admin from the Role drop-down.
- Click Save.
Your Google APIs Service Agent account now has the Editor and Kubernetes Engine Admin roles on your project.
Creating an SSL certificate resource
A new SSL certificate resource is needed when configuring your Cloud IAP connector's HTTP(S) load balancer proxy.
To create a new SSL certificate resource from the gcloud command-line tool using your SSL or TLS certificate and private key:
Create a new SSL certificate resource using
compute ssl-certificates create.
gcloud compute ssl-certificates create CERTIFICATE_NAME --private-key=PRIVATE_KEY_FILE.pem --certificate=CERTIFICATE_FILE.pem
Optionally, confirm your new SSL certificate resource is available.
Downloading and configuring a Cloud IAP connector
To fit your deployment needs, your Cloud IAP connector's configurable Cloud Deployment Manager template needs to be updated. To download and configure your template:
Download the Cloud IAP connector Cloud Deployment Manager template by cloning the Cloud IAP connector GitHub repository.
Open the cloned repository's folder and update the required fields in the
iap-connector.yamlfile. For info about routing rules, see the Cloud IAP for on-premises apps overview.
resources: - name: iap-connector type: iap-connector.py properties: zone: ZONE serviceAccountName: PROJECT_NUMBER@cloudservices.gserviceaccount.com routing: - name: BACKEND_SERVICE_NAME mapping: - name: host source: SOURCE destination: DESTINATION_URL tls: - CERTIFICATE_NAMERequired fields:
- serviceAccountName: The name of the Google APIs Service Agent account that is granted the Kubernetes Engine Admin role.
- source : The URL of requests coming to GCP. This is where traffic enters the environment.
- destination: The URL for your on-premises app that Cloud IAP routes traffic to after a user has been authorized and authenticated.
- tls: The name of your SSL certificate resource.
- routing name: The name of the new backend service behind the HTTP(S) load balancer.
- zone: The region where the Cloud IAP connector is deployed.
By default, the zone is
- initialNodeCount: Initial number of nodes desired in the cluster.
By default, the initial node count is
- imageVersion: The Ambassador
image version to run. By default, the image version is
- replicas: The initial number of replicas for Ambassador deployment. By
default, the number of replicas is
To see the Cloud IAP connector specification, view the iap-connector.py.schema file.
Save your updated
Deploying a Cloud IAP connector
Deploy the Cloud IAP connector by running the following gcloud command:
gcloud deployment-manager deployments create NAME_OF_DEPLOYMENT --config=iap-connector.yaml
Optionally, monitor the deployment from the GCP console:
The deployment creates a Cloud Load Balancing HTTP(S) load balancer. Associate your source domain with the public IPv4 address of the load balancer by updating the DNS resource records within your domain manager.
To obtain the public IPv4 address:
Web request traffic to your app is now being forwarded from the Cloud IAP connector to your on-premises app.
Configuring the OAuth consent screenIf you haven't configured your project's OAuth consent screen, you'll need to do so. An email address and product name are required for the OAuth consent screen.
Go to the OAuth consent screen.
Configure consent screen
- Under Support email, select the email address you want to display as a public contact. This must be your email address, or a Google Group you own.
- Enter the Application name you want to display.
- Add any optional details you'd like.
- Click Save.
To change information on the OAuth consent screen later, such as the product name or email address, repeat the steps above to configure the consent screen.
Setting up Cloud IAP access
Go to the
Identity-Aware Proxy page.
Go to the Identity-Aware Proxy page
- Select the project you want to secure with Cloud IAP.
- Select the checkbox next to the resource you want to add members to.
- On the right side panel, click Add member.
In the Add members dialog that appears, enter the email addresses of groups or
individuals who should have the IAP-secured Web App User role for the project.
The following kinds of accounts can be members:
- Google Accounts: email@example.com
- Google Groups: firstname.lastname@example.org
- Service accounts: email@example.com
- G Suite domains: example.com
Make sure to add a Google account that you have access to.
- Select Cloud IAP > IAP-secured Web App User from the Roles drop-down list.
- Click Save.
Turning on Cloud IAP
- On the Identity-Aware Proxy page, under Resource, find the name of your Cloud IAP connector deployment. To turn on Cloud IAP, click Off in the IAP column.
- In the Turn on IAP window that appears, enter the external DNS hostname (URI) that will be used to access your on-prem app.
- Click Turn On to confirm that you want your on-prem app to be secured by Cloud IAP. After you turn on Cloud IAP, it requires login credentials for all connections to your load balancer, and only accounts with the IAP-secured Web App User role on the project will be given access. Note that there can be an approximately 10 minute delay between when Cloud IAP is enabled and when the lockdown occurs.
- Confirm Cloud IAP is enabled by navigating to the internal URL of your on-premises app. Cloud IAP is enabled if an authentication prompt appears.
All traffic to your on-premises app is now being authenticated and authorized by Cloud IAP.
Securing outbound traffic
A Cloud IAP connector forwards requests to your on-premises backend once deployed. Since the Cloud IAM access policy is enforced at the Cloud IAP connector, ensure that all requests to your backend have been authenticated and authorized by Cloud IAP.
Confirm that outbound traffic has come through the Cloud IAP connector using the following methods:
- Check requests for a Cloud IAP-signed header. Requests authenticated and authorized by Cloud IAP have an attached Cloud IAP signed JWT header.
- Limit access to your backend to a specific range of IP addresses coming from the Cloud IAP connector. This is done by setting proper firewall rules on your on-premises app.
Updating a Cloud IAP connector deployment
The routing rules of your Cloud IAP connector can be updated and pushed to your deployed GKE cluster using the following process. For more information, see Updating a deployment.
- Update your
iap-connector.yamlfile with new routing parameters.
Run the following gcloud command:
gcloud deployment-manager deployments update NAME_OF_DEPLOYMENT
Deleting a Cloud IAP connector deployment
Deleting your Cloud IAP connector deployment turns off Cloud IAP, leaving your app without an access authentication system. All resources created by the deployment are removed, including routing rules.
To delete your Cloud IAP connector deployment:
- Go to the Cloud Deployment Manager page.
Go to the Cloud Deployment Manager page
- In the list of deployments, select the check box next to your Cloud IAP deployment.
- On the top of the page, click Delete.
If you need to re-create your Cloud IAP connector deployment that you deleted, you can use your original configuration file. A re-created deployment is considered a new deployment, with new resources.