This guide explains how to secure an HTTP-based, on-premises app outside of Google Cloud with Identity-Aware Proxy (IAP) by deploying an IAP connector.For more information on how IAP secures on-premises apps and resources, see the IAP for on-premises apps overview.
Before you begin
Before you begin, you need the following:
- An HTTP-based, on-premises app that has its own IAP instance.
- A Cloud Identity member granted the Owner role on your Google Cloud project.
- A Google Cloud project with billing enabled.
- The DNS hostname to use as the ingress point for traffic to
Google Cloud. For example,
- An SSL or TLS certificate for the DNS hostname that is used as the ingress point for traffic to Google Cloud. An existing self-managed or Google-managed certificate can be used. If you don't have a certificate, create one using Let's Encrypt.
- If VPC Service Controls is enabled, a VPC network with an
cpaction for the VM service account to the gce-mesh bucket, which is in project 278958399328. This grants the VPC network permission to retrieve the Envoy binary file from the gce-mesh bucket. The permission is granted by default, if VPC Service Controls is not enabled.
Deploy a connector for an on-premises app
Go to the IAP admin page.
Begin setting up your connector deployment for an on-premises app by clicking On-prem connectors setup.
Ensure that the required APIs are loaded by clicking Enable APIs.
Choose whether the deployment should use a Google-managed certificate or one managed by you, select the network and subnet for the deployment (or choose to create a new one), and then click Next.
Enter the details for an on-premises app you want to add:
- The external URL of requests coming to Google Cloud. This URL is where traffic enters the environment.
- A name for the app. It will also be used as the name for a new backend service behind the load balancer.
- The region where the connector should be deployed. For example,
- One or more zones for where the IAP connector should be
deployed (for example,
us-central1-a) and, for each, the IPv4 address of the internal destination for the on-premises app to which IAP routes traffic after a user has been authorized and authenticated.
- The port used to access the internal destinations.
Click Done to save the details for that app. If you want, you can then define additional on-premises apps for the deployment.
When you're ready, click Submit to begin deployment of the apps you've defined.
Once the deployment is complete, your on-prem connector apps appear in the HTTP resources table and IAP can be enabled.
Manage a connector for an on-premises app
- You can add more apps to your deployment at any time by clicking On-prem connectors setup.
You can only delete an on-premises connector app by deleting the entire deployment: