This guide explains how to secure an HTTP or HTTPS based, on-premises app outside of Google Cloud with Identity-Aware Proxy (IAP) by deploying an IAP connector.For more information on how IAP secures on-premises apps and resources, see the IAP for on-premises apps overview.
Before you begin
Before you begin, you need the following:
- An HTTP or HTTPS based on-premises app.
- A Cloud Identity member granted the Owner role on your Google Cloud project.
- A Google Cloud project with billing enabled.
- A BeyondCorp Enterprise license.
- The external URL to use as the ingress point for traffic to
Google Cloud. For example,
- An SSL or TLS certificate for the DNS hostname that is used as the ingress point for traffic to Google Cloud. An existing self-managed or Google-managed certificate can be used. If you don't have a certificate, create one using Let's Encrypt.
- If VPC Service Controls is enabled, a VPC network with an
cpaction for the VM service account to the gce-mesh bucket, which is in project 278958399328. This grants the VPC network permission to retrieve the Envoy binary file from the gce-mesh bucket. The permission is granted by default, if VPC Service Controls is not enabled.
Deploy a connector for an on-premises app
Go to the IAP admin page.
Begin setting up your connector deployment for an on-premises app by clicking On-prem connectors setup.
Ensure that the required APIs are loaded by clicking Enable APIs.
Choose whether the deployment should use a Google-managed certificate or one managed by you, select the network and subnet for the deployment (or choose to create a new one), and then click Next.
Enter the details for an on-premises app you want to add:
- The external URL of requests coming to Google Cloud. This URL is where traffic enters the environment.
- A name for the app. It will also be used as the name for a new backend service behind the load balancer.
- The on-prem endpoint type and its details:
- FQDN: The domain where the connector should forward the traffic. Region: The region where the connector should be deployed.
- IP Address: The region where the connector should be deployed. For example,
us-central. One or more zones for where the IAP connector should be deployed (for example,
us-central1-a) and, for each, the IPv4 address of the internal destination for the on-premises app to which IAP routes traffic after a user has been authorized and authenticated.
- The protocol that you want to use. You must also enter a port value, such as 443 for HTTPS or 80 for HTTP.
- The port used to access the internal destinations.
Click Done to save the details for that app. If you want, you can then define additional on-premises apps for the deployment.
When you're ready, click Submit to begin deployment of the apps you've defined.
Once the deployment is complete, your on-prem connector apps appear in the HTTP resources table and IAP can be enabled.
If you choose to let Google auto-generate and manage the certificates, it might take a few minutes for the certificates to provision. You can check the status at the Cloud Load Balancing detail page. For more information about the status, see troubleshooting page.
Manage a connector for an on-premises app
- You can add more apps to your deployment at any time by clicking On-prem connectors setup.
You can only delete an on-premises connector app by deleting the entire deployment: