Google Cloud 트래픽의 인그레스 지점으로 사용할 외부 URL. 예를 들면 www.hr-domain.com입니다.
Google Cloud로 유입되는 트래픽의 인그레스 지점으로 사용되는 DNS 호스트 이름의 SSL 또는 TLS 인증서. 기존 자체 관리형 인증서 또는 Google 관리형 인증서를 사용할 수 있습니다. 인증서가 없는 경우 Let's Encrypt를 사용하여 만드세요.
VPC 서비스 제어가 사용 설정된 경우 VM 서비스 계정에서 프로젝트 278958399328의 gce-mesh 버킷으로의 cp 작업에 대한 이그레스 정책이 있는 VPC 네트워크. 이는 VPC 네트워크에 gce-mesh 버킷에서 Envoy 바이너리 파일을 검색할 수 있는 권한을 부여합니다.
VPC 서비스 제어가 사용 설정되지 않은 경우 기본적으로 권한이 부여됩니다.
다음 단계를 완료하여 외부 IP를 사용 중지하세요.
구성에서 체크박스를 선택하여 IAP 커넥터에 사용되는 VPC 서브넷에서 비공개 Google 액세스를 사용 설정합니다. 자세한 내용은 비공개 Google 액세스를 참조하세요.
VPC 네트워크의 방화벽 구성에 따라 VM에서 Google API 및 서비스에 사용되는 IP 주소로의 액세스가 허용되는지 확인합니다. 기본적으로는 암시적으로 허용되지만 사용자가 명시적으로 변경할 수 있습니다. IP 범위를 찾는 방법에 대한 자세한 내용은 기본 도메인의 IP 주소를 참조하세요.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2024-12-21(UTC)"],[],[],null,["# Enabling IAP for on-premises apps\n\nThis guide explains how to secure an HTTP or HTTPS based, on-premises app outside of\nGoogle Cloud with\n[Identity-Aware Proxy (IAP)](/iap/docs/concepts-overview) by deploying an\nIAP connector.\nFor more information on how IAP secures on-premises apps and resources, see the [IAP for on-premises apps overview](/iap/docs/cloud-iap-for-on-prem-apps-overview).\n\nBefore you begin\n----------------\n\nBefore you begin, you need the following:\n\n- An HTTP or HTTPS based on-premises app.\n- A Cloud Identity member [granted the\n **Owner** role](/iam/docs/granting-changing-revoking-access#grant_access) on your Google Cloud project.\n- Granted the [Google APIs Service Agent](/iam/docs/service-agents#google-apis-service-agent) with owner role.\n- A Google Cloud project with [billing enabled](/billing/docs/how-to/modify-project).\n- The external URL to use as the ingress point for traffic to Google Cloud. For example, `www.hr-domain.com`.\n- An SSL or TLS certificate for the DNS hostname that is used as the ingress point for traffic to Google Cloud. An existing self-managed or [Google-managed](/load-balancing/docs/ssl-certificates#managed-certs) certificate can be used. If you don't have a certificate, create one using [Let's Encrypt](https://letsencrypt.org/).\n- If VPC Service Controls is enabled, a VPC network with an [egress policy](/vpc-service-controls/docs/ingress-egress-rules#egress_rules_reference) on `cp` action for the VM service account to the gce-mesh bucket, which is in project 278958399328. This grants the VPC network permission to retrieve the Envoy binary file from the gce-mesh bucket. The permission is granted by default, if VPC Service Controls is not enabled.\n- Disable an external IP by completing the following steps:\n\n 1. Enable Private Google Access on the VPC subnet that is used for the IAP connector by checking the box in the configuration. For additional information, see [Private Google Access](https://cloud.google.com/vpc/docs/private-google-access).\n 2. Ensure that the firewall configuration of the VPC network allows access from the VMs to the IP addresses used by the Google APIs and services. This is implicitly allowed by default, but can be changed by the users explicitly. For information about how to find the IP range, see [IP addresses for default domains](https://cloud.google.com/vpc/docs/configure-private-google-access#ip-addr-defaults).\n\nDeploy a connector for an on-premises app\n-----------------------------------------\n\n1. Go to the [IAP admin page](https://console.cloud.google.com/security/iap).\n\n [Go to the IAP admin page](https://console.cloud.google.com/security/iap)\n2. Begin setting up your connector deployment for an on-premises app by clicking\n **On-prem connectors setup**.\n\n3. Ensure that the required APIs are loaded by clicking **Enable APIs**.\n\n4. Choose whether the deployment should use a Google-managed certificate or one\n managed by you, select the network and subnet for the deployment (or choose\n to create a new one), and then click **Next**.\n\n5. Enter the details for an on-premises app you want to add:\n\n - The external URL of requests coming to Google Cloud. This URL is where traffic enters the environment.\n - A name for the app. It will also be used as the name for a new [backend service](/load-balancing/docs/backend-service) behind the load balancer.\n - The on-prem endpoint type and its details:\n\n - Fully qualified domain name (FQDN): The domain where the connector should forward the traffic.\n - IP address: One or more zones for where the IAP connector should be deployed (for example, `us-central1-a`) and, for each, the IPv4 address of the internal destination for the on-premises app to which IAP routes traffic after a user has been authorized and authenticated.\n\n | **Note:** If your on-prem endpoint is an IP address, consider using a [hybrid connectivity network endpoint group](https://cloud.google.com/load-balancing/docs/negs/hybrid-neg-concepts#use-case_routing_traffic_to_an_on-premises_location_or_another_cloud) directly with a load balancer instead of using the IAP on-prem connector.\n - The protocol used by the on-prem endpoint.\n\n - The port number used by the on-prem endpoint, such as 443 for HTTPS or 80 for HTTP.\n\n6. Click **Done** to save the details for that app. If you want, you can then\n define additional on-premises apps for the deployment.\n\n7. When you're ready, click **Submit** to begin deployment of the apps you've\n defined.\n\nOnce the deployment is complete, your on-prem connector apps appear in the\n**HTTP resources** table and IAP can be enabled.\n\nIf you choose to let Google auto-generate and manage the certificates, it might\ntake a few minutes for the certificates to provision. You can check the status\nat the Cloud Load Balancing detail page. For more information about the\nstatus, see\n[troubleshooting page](/load-balancing/docs/ssl-certificates/troubleshooting#certificate-managed-status).\n\nManage a connector for an on-premises app\n-----------------------------------------\n\n- You can add more apps to your deployment at any time by clicking **On-prem connectors setup**.\n- You can delete the on-premises connector by deleting the entire\n deployment:\n\n 1. Go to the [Deployment Manager page](https://console.cloud.google.com/dm/deployments).\n\n [Go to the Deployment Manager page](https://console.cloud.google.com/dm/deployments)\n 2. In the list of deployments, select the checkbox next to the\n \"on-prem-app-deployment\" deployment.\n\n 3. On the top of the page, click **Delete**\n\n- You can delete individual app by clicking the delete button in the\n **On-prem connectors setup**\n The on-premises connector must contains at least one app. To remove all app,\n please delete the entire deployment."]]