This page describes how to set up a load balancer to use Identity-Aware Proxy (IAP) with Compute Engine. If you're using IAP with GKE, the load balancer is typically configured by the Kubernetes Ingress controller. For more information, see enabling IAP for GKE.
Before you begin
Before you set up a load balancer, you'll need the following:
- A new domain, unless you already have one you want to use. You can use any domain name registrar, including Google Domains.
- A signed certificate.
Setting up a load balancer in Compute Engine
To set up a load balancer in Compute Engine, your instances need to be in an instance group. This section describes how to create an instance group and then set up load balancing.
Creating an instance group
If you have instances in Compute Engine that aren't in an instance group, follow the steps below to add them to a group:
- Go to the Instance groups page.
Go to the Compute Engine Instance groups page
- Click Create instance group.
- Under Group type, select Unmanaged instance group.
- Under VM instances, select each instance you want to add to the group.
- You can use the default values for other settings, or change them to the configuration you want.
- Click Create.
Setting up the load balancer
If your instances in Compute Engine are in an instance group, follow the steps below to set up the load balancer:
- Go to the Load balancing page.
Go to the Load balancing page
- Click Create load balancer.
- Under HTTP(S) Load Balancing, click Start configuration.
- In the New HTTP(S) load balancer panel that appears, add a Name for your load balancer.
Click Backend configuration, then create or select a backend service. If you create a new backend service, follow the steps below:
- Add a Name for your backend service.
- Under Protocol, select HTTP or HTTPS. For HTTPS, each instance must be configured to serve SSL and have a certificate installed. However, you can use any certificate, including a self-signed one.
- In Backends > New Backend > Instance group, select the instance group you want to use.
- Don't enable Cloud CDN. It isn't supported for IAP. You can keep the other default settings, or customise however you want.
- In Health check > Create a health check, add a Name for your
Note that Compute Engine and GKE health checks don't include JWT headers and IAP doesn't handle health checks. If your health check returns access errors, make sure that you have it configured correctly in the Cloud Console and that your JWT header validation whitelists the health check path. For more information, see Create a health check exception.
In Host and path rules, you can keep the default settings.
Click Frontend configuration, then follow the steps bellow:
- Under Protocol, select HTTPS.
- Under Certificate > Create a new certificate, add a Name for your certificate, then add the Public key certificate and other details as needed.
When you're finished configuring the load balancer, click Create.
On the Load balancing screen, note the IP:Port for your load balancer. In the DNS zone for your domain, configure an address record for the desired hostname to resolve to the IP address of your new load balancer to route traffic through the load balancer.
Make sure all requests to Compute Engine or GKE are routed through
the load balancer:
- Configure a firewall rule to allow health checking and make sure that all traffic to your Virtual Machine (VM) is from a Google Front End (GFE) IP.
- For additional protection, check the source IP of requests in your app to make sure they're from the same IP range that the firewall rule allows.
In the Cloud Console, IAP displays an error or warning if your firewall
rules appear to be set up incorrectly. The IAP Cloud Console doesn't
detect which VM is used for each service, so the firewall analysis doesn't include advanced
features like non-default networks and firewall rule tags. To bypass this analysis, enable
IAP through the
gcloud compute backend-services updatecommand.