Enabling IAP for on-premises apps

This guide explains how to secure an HTTP or HTTPS based, on-premises app outside of Google Cloud with Identity-Aware Proxy (IAP) by deploying an IAP connector.

For more information on how IAP secures on-premises apps and resources, see the IAP for on-premises apps overview.

Before you begin

Before you begin, you need the following:

  • An HTTP or HTTPS based on-premises app.
  • A Cloud Identity member granted the Owner role on your Google Cloud project.
  • A Google Cloud project with billing enabled.
  • A BeyondCorp Enterprise license.
  • The external URL to use as the ingress point for traffic to Google Cloud. For example, www.hr-domain.com.
  • An SSL or TLS certificate for the DNS hostname that is used as the ingress point for traffic to Google Cloud. An existing self-managed or Google-managed certificate can be used. If you don't have a certificate, create one using Let's Encrypt.
  • If VPC Service Controls is enabled, a VPC network with an egress policy on cp action for the VM service account to the gce-mesh bucket, which is in project 278958399328. This grants the VPC network permission to retrieve the Envoy binary file from the gce-mesh bucket. The permission is granted by default, if VPC Service Controls is not enabled.

Deploy a connector for an on-premises app

  1. Go to the IAP admin page.

    Go to the IAP admin page

  2. Begin setting up your connector deployment for an on-premises app by clicking On-prem connectors setup.

  3. Ensure that the required APIs are loaded by clicking Enable APIs.

  4. Choose whether the deployment should use a Google-managed certificate or one managed by you, select the network and subnet for the deployment (or choose to create a new one), and then click Next.

  5. Enter the details for an on-premises app you want to add:

    • The external URL of requests coming to Google Cloud. This URL is where traffic enters the environment.
    • A name for the app. It will also be used as the name for a new backend service behind the load balancer.
    • The on-prem endpoint type and its details:
      • FQDN: The domain where the connector should forward the traffic. Region: The region where the connector should be deployed.
      • IP Address: The region where the connector should be deployed. For example, us-central. One or more zones for where the IAP connector should be deployed (for example, us-central1-a) and, for each, the IPv4 address of the internal destination for the on-premises app to which IAP routes traffic after a user has been authorized and authenticated.
    • The protocol that you want to use. You must also enter a port value, such as 443 for HTTPS or 80 for HTTP.
    • The port used to access the internal destinations.
  6. Click Done to save the details for that app. If you want, you can then define additional on-premises apps for the deployment.

  7. When you're ready, click Submit to begin deployment of the apps you've defined.

Once the deployment is complete, your on-prem connector apps appear in the HTTP resources table and IAP can be enabled.

If you choose to let Google auto-generate and manage the certificates, it might take a few minutes for the certificates to provision. You can check the status at the Cloud Load Balancing detail page. For more information about the status, see troubleshooting page.

Manage a connector for an on-premises app

  • You can add more apps to your deployment at any time by clicking On-prem connectors setup.
  • You can only delete an on-premises connector app by deleting the entire deployment:

    1. Go to the Deployment Manager page.

      Go to the Deployment Manager page

    2. In the list of deployments, select the checkbox next to the "on-prem-app-deployment" deployment.

    3. On the top of the page, click Delete