Enabling Cloud IAP for on-premises apps

This guide explains how to secure an HTTP-based, on-premises app outside of Google Cloud Platform (GCP) with Cloud Identity-Aware Proxy (Cloud IAP) by deploying a Cloud IAP connector.

For more information on how Cloud IAP secures on-premises apps and resources, see the Cloud IAP for on-premises apps overview.

Before you begin

Before you begin, you'll need the following:

  • Have the Google Cloud SDK installed.
  • An HTTP-based, on-premises app that's accessible through a DNS hostname and accepts HTTPS traffic. Note that each on-premises app needs its own Cloud IAP instance.
  • Established site-to-site VPN with GCP and your on-premises app using Cloud Interconnect if your app isn't publicly accessible.
  • A Cloud Identity member granted the Owner role on your GCP project.
  • A GCP project with billing enabled.
  • The DNS hostname to use as the ingress point for traffic to GCP. For example, www.hr-domain.com.
  • The DNS hostname of your on-premises app. For example, hr-internal.domain.com.
  • An SSL or TLS certificate for the DNS hostname that is used as the ingress point for traffic to GCP. An existing self-managed or Google-managed certificate can be used. If you don't have a certificate, create one using Let's Encrypt.

Enabling required APIs

To configure a Cloud IAP connector you must enable the following APIs.

  1. Enable the Compute Engine API.

    Enable Compute Engine API

  2. Enable the Google Kubernetes Engine API.

    Enable Google Kubernetes Engine API

  3. Enable the Cloud Deployment Manager API V2.

    Enable Cloud Deployment Manager API V2

Creating a Cloud IAP connector deployment

A Cloud IAP connector is a Deployment Manager template that creates the resources and routing rules needed to forward requests that have been authenticated and authorized by Cloud IAP to your on-premises app. The following sections walk through configuring and deploying a Cloud IAP connector.

Setting permissions

To deploy a Cloud IAP connector, your GCP project's Google APIs Service Agent account needs the Kubernetes Engine Admin role. This service account allows Deployment Manager to create a Google Kubernetes Engine (GKE) cluster and all the resources running in it.

To grant the Kubernetes Engine Admin role on the Google APIs Service Agent account:

  1. Go to the Cloud IAM page.
    Go to the Cloud IAM page
  2. Edit the permissions of the PROJECT_NUMBER@cloudservices.gserviceaccount.com member by clicking the Edit member button.
  3. Click Add another role and select Kubernetes > Kubernetes Engine Admin from the Role drop-down.
  4. Click Save.

Your Google APIs Service Agent account now has the Editor and Kubernetes Engine Admin roles on your project.

Creating an SSL certificate resource

A new SSL certificate resource is needed when configuring your Cloud IAP connector's HTTP(S) load balancer proxy.

To create a new SSL certificate resource from the gcloud command-line tool using your SSL or TLS certificate and private key:

  1. Create a new SSL certificate resource using compute ssl-certificates create.

    gcloud compute ssl-certificates create CERTIFICATE_NAME --private-key=PRIVATE_KEY_FILE.pem
    --certificate=CERTIFICATE_FILE.pem
    
  2. Optionally, confirm your new SSL certificate resource is available.

    1. Go to the Load balancing page.
      Go to the Load balancing page
    2. Below the list of load balancers, click Advanced menu.
    3. Click Certificates.

Downloading and configuring a Cloud IAP connector

To fit your deployment needs, your Cloud IAP connector's configurable Deployment Manager template needs to be updated. To download and configure your template:

  1. Download the Cloud IAP connector Deployment Manager template by cloning the Cloud IAP connector GitHub repository.

  2. Open the cloned repository's folder and update the required fields in the iap-connector.yaml file. For info about routing rules, see the Cloud IAP for on-premises apps overview.

         resources:
         - name: iap-connector
           type: iap-connector.py
           properties:
             zone: ZONE
             serviceAccountName: PROJECT_NUMBER@cloudservices.gserviceaccount.com
             routing:
             - name: BACKEND_SERVICE_NAME
               mapping:
               - name: host
                 source: SOURCE
                 destination: DESTINATION_URL
             tls:
             - CERTIFICATE_NAME
    
    Required fields:

    • zone: The zone where the Cloud IAP connector is deployed. For example, us-central1-a
    • serviceAccountName: The name of the Google APIs Service Agent account that is granted the Kubernetes Engine Admin role.
    • routing.mapping.source : The URL of requests coming to GCP. This is where traffic enters the environment.
    • routing.mapping.destination: The URL for your on-premises app that Cloud IAP routes traffic to after a user has been authorized and authenticated.
    • tls: The name of your SSL certificate resource.
    • routing.name: The name of the new backend service behind the HTTP(S) load balancer.

    Optional fields:

    • initialNodeCount: Initial number of nodes desired in the cluster. By default, the initial node count is 3.
    • imageVersion: The Ambassador image version to run. By default, the image version is 0.39.0.
    • replicas: The initial number of replicas for Ambassador deployment. By default, the number of replicas is 3.

    To see the Cloud IAP connector specification, view the iap-connector.py.schema file.

  3. Save your updated iap-connector.yaml file.

Deploying a Cloud IAP connector

  1. Deploy the Cloud IAP connector and its Google Kubernetes Engine cluster by running the following gcloud command:

    gcloud deployment-manager deployments create NAME_OF_DEPLOYMENT --config=iap-connector.yaml
    
  2. Optionally, monitor the deployment from the GCP console:

    1. Go to the Deployment Manager page.
      Go to the Deployment Manager page
    2. View the status of your deployment by selecting the name of your deployment. Note that deployment can take several minutes to complete.
  3. Optionally, see the status of your Google Kubernetes Engine cluster by going to the Kubernetes clusters page.
    Go to the Kubernetes clusters page

  4. The deployment creates a Cloud Load Balancing HTTP(S) load balancer. Associate your source domain with the public IPv4 address of the load balancer by updating the DNS resource records within your domain manager.

    To obtain the public IPv4 address:

    1. Go to the Load balancing page.
      Go to the Load balancing page
    2. Click the Name of the load balancer resource that was generated.

      The IPv4 address is under Frontend and is associated with your certificate name.

Web request traffic to your app is now being forwarded from the Cloud IAP connector to your on-premises app.

Configuring the OAuth consent screen

If you haven't configured your project's OAuth consent screen, you'll need to do so. An email address and product name are required for the OAuth consent screen.
  1. Go to the OAuth consent screen.
    Configure consent screen
  2. Under Support email, select the email address you want to display as a public contact. This must be your email address, or a Google Group you own.
  3. Enter the Application name you want to display.
  4. Add any optional details you'd like.
  5. Click Save.

To change information on the OAuth consent screen later, such as the product name or email address, repeat the steps above to configure the consent screen.

Setting up Cloud IAP access

  1. Go to the Identity-Aware Proxy page.
    Go to the Identity-Aware Proxy page
  2. Select the project you want to secure with Cloud IAP.
  3. Select the checkbox next to the resource you want to add members to.
  4. On the right side panel, click Add member.
  5. In the Add members dialog that appears, enter the email addresses of groups or individuals who should have the IAP-secured Web App User role for the project.

    The following kinds of accounts can be members:

    • Google Accounts: user@gmail.com
    • Google Groups: admins@googlegroups.com
    • Service accounts: server@example.gserviceaccount.com
    • G Suite domains: example.com

    Make sure to add a Google account that you have access to.

  6. Select Cloud IAP > IAP-secured Web App User from the Roles drop-down list.
  7. Click Save.

Turning on Cloud IAP

  1. On the Identity-Aware Proxy page, under HTTPS Resources, find the name of your Cloud IAP connector deployment. To turn on Cloud IAP, click Off in the IAP column.
  2. In the Turn on IAP window that appears, click Turn On to confirm that you want your on-prem app to be secured by Cloud IAP. After you turn on Cloud IAP, it requires login credentials for all connections to your load balancer, and only accounts with the IAP-secured Web App User role on the project will be given access. Note that there can be an approximately 10 minute delay between when Cloud IAP is enabled and when the lockdown occurs.
  3. Confirm Cloud IAP is enabled by navigating to the internal URL of your on-premises app. Cloud IAP is enabled if an authentication prompt appears.

All traffic to your on-premises app is now being authenticated and authorized by Cloud IAP.

Securing outbound traffic

A Cloud IAP connector forwards requests to your on-premises backend once deployed. Since the Cloud IAM access policy is enforced at the Cloud IAP connector, ensure that all requests to your backend have been authenticated and authorized by Cloud IAP.

Confirm that outbound traffic has come through the Cloud IAP connector using the following methods:

  • Check requests for a Cloud IAP-signed header. Requests authenticated and authorized by Cloud IAP have an attached Cloud IAP signed JWT header.
  • Limit access to your backend to a specific range of IP addresses coming from the Cloud IAP connector. This is done by setting proper firewall rules on your on-premises app.

Updating a Cloud IAP connector deployment

The routing rules of your Cloud IAP connector can be updated and pushed to your deployed GKE cluster using the following process. For more information, see Updating a deployment.

  1. Update your iap-connector.yaml file with new routing parameters.
  2. Run the following gcloud command:

    gcloud deployment-manager deployments update NAME_OF_DEPLOYMENT
    

Deleting a Cloud IAP connector deployment

Deleting your Cloud IAP connector deployment turns off Cloud IAP, leaving your app without an access authentication system. All resources created by the deployment are removed, including routing rules.

To delete your Cloud IAP connector deployment:

  1. Go to the Deployment Manager page.
    Go to the Deployment Manager page
  2. In the list of deployments, select the check box next to your Cloud IAP deployment.
  3. On the top of the page, click Delete.

If you need to re-create your Cloud IAP connector deployment that you deleted, you can use your original configuration file. A re-created deployment is considered a new deployment, with new resources.

Var denne side nyttig? Giv os en anmeldelse af den:

Send feedback om...

Identity-Aware Proxy Documentation