This page describes how to use VPC Service Controls to protect IAP for TCP forwarding, and how to use IAP for TCP forwarding within a VPC Service Controls perimeter.
Before you begin
Read the Overview of VPC Service Controls.
Set up usage of IAP TCP forwarding without a service perimeter.
Create a service perimeter using VPC Service Controls. This service perimeter protects the Google-managed resources of services that you specify. When you create your service perimeter, do the following:
Add the project that contains the Compute Engine instance you want to connect to with IAP to the projects within your service perimeter. If you are running an IAP for TCP client on a Compute Engine instance, also put the project containing this instance into the perimeter.
Add Identity-Aware Proxy TCP API to the list of services protected by your service perimeter.
If you created your service perimeter without adding the projects and services you need, see Managing service perimeters to learn how to update your service perimeter.
Configure your DNS records using Cloud DNS
If your IAP for TCP client, which is likely the Google Cloud CLI, is not running inside any perimeter, then you can skip this step. On the other hand, if you run the client inside a perimeter, you must configure DNS records for IAP for TCP.
IAP for TCP uses domains that are not subdomains of
googleapis.com. Using Cloud DNS, add DNS records to ensure that your
VPC network correctly handles requests sent to those domains. To
learn more about VPC routes, read the
Use the following steps to create a managed zone for a domain, add DNS records to route requests, and execute the transaction. You can use the gcloud CLI with your preferred terminal or use Cloud Shell, which has the gcloud CLI preinstalled.
*.googleapis.comDNS as is typical for VPC Service Controls integrations.
Collect this information to use when configuring your DNS records:
PROJECT_ID is the ID of the project that hosts your VPC network.
NETWORK_NAME is the name of the VPC network in which you are running your IAP for TCP client.
ZONE_NAME is a name for the zone that you are creating. For example,
Create a private managed zone for the domain
tunnel.cloudproxy.appso the VPC network can handle it.
gcloud dns managed-zones create ZONE_NAME \ --visibility=private \ --networks=https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK_NAME \ --dns-name=tunnel.cloudproxy.app \ --description="Description of your managed zone"
Start a transaction.
gcloud dns record-sets transaction start --zone=ZONE_NAME
Add the following DNS A record. This reroutes traffic to Google's restricted VIP (virtual IP address).
gcloud dns record-sets transaction add \ --name=tunnel.cloudproxy.app. \ --type=A 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 \ --zone=ZONE_NAME \ --ttl=300
Add the following DNS CNAME record to point to the A record that you just added. This redirects all traffic matching the domain to the IP addresses listed in the previous step.
gcloud dns record-sets transaction add \ --name="*.tunnel.cloudproxy.app." \ --type=CNAME tunnel.cloudproxy.app. \ --zone=ZONE_NAME \ --ttl=300
Execute the transaction.
gcloud dns record-sets transaction execute --zone=ZONE_NAME
Configuring DNS with BIND
Instead of using Cloud DNS, you can use
BIND. In that case,
follow the directions for
configuring DNS with
but use the IAP for TCP domains instead of the general
Using the private VIP
Instead of using the restricted VIP, it might be possible to use the private VIP, depending on how you've configured your perimeter and network. If you prefer to do that, then use
126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11
in place of
18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52
in the instructions for configuring your DNS records.
Using a shared VPC
If you're using a shared VPC, you must add the host and the service projects to the service perimeter. See Managing service perimeters.
- See Managing service perimeters to add more resources to your service perimeter.