Securing IAP for TCP forwarding with VPC Service Controls

This page describes how to use VPC Service Controls to protect IAP for TCP forwarding, and how to use IAP for TCP forwarding within a VPC Service Controls perimeter.

Before you begin

  1. Read the Overview of VPC Service Controls.

  2. Set up usage of IAP TCP forwarding without a service perimeter.

  3. Create a service perimeter using VPC Service Controls. This service perimeter protects the Google-managed resources of services that you specify. When you create your service perimeter, do the following:

    1. Add the project that contains the Compute Engine instance you want to connect to with IAP to the projects within your service perimeter. If you are running an IAP for TCP client on a Compute Engine instance, also put the project containing this instance into the perimeter.

    2. Add Identity-Aware Proxy TCP API to the list of services protected by your service perimeter.

    If you created your service perimeter without adding the projects and services you need, see Managing service perimeters to learn how to update your service perimeter.

Configure your DNS records using Cloud DNS

If your IAP for TCP client, which is likely the Google Cloud CLI, is not running inside any perimeter, then you can skip this step. On the other hand, if you run the client inside a perimeter, you must configure DNS records for IAP for TCP.

IAP for TCP uses domains that are not subdomains of Using Cloud DNS, add DNS records to ensure that your VPC network correctly handles requests sent to those domains. To learn more about VPC routes, read the Routes overview.

Use the following steps to create a managed zone for a domain, add DNS records to route requests, and execute the transaction. You can use the gcloud CLI with your preferred terminal or use Cloud Shell, which has the gcloud CLI preinstalled.

  1. Configure the * DNS as is typical for VPC Service Controls integrations.

  2. Collect this information to use when configuring your DNS records:

    • PROJECT_ID is the ID of the project that hosts your VPC network.

    • NETWORK_NAME is the name of the VPC network in which you are running your IAP for TCP client.

    • ZONE_NAME is a name for the zone that you are creating. For example, iap-tcp-zone.

  3. Create a private managed zone for the domain so the VPC network can handle it.

    gcloud dns managed-zones create ZONE_NAME \
     --visibility=private \
     --networks= \ \
     --description="Description of your managed zone"
  4. Start a transaction.

    gcloud dns record-sets transaction start --zone=ZONE_NAME
  5. Add the following DNS A record. This reroutes traffic to Google's restricted VIP (virtual IP address).

    gcloud dns record-sets transaction add \ \
     --type=A \
     --zone=ZONE_NAME \
  6. Add the following DNS CNAME record to point to the A record that you just added. This redirects all traffic matching the domain to the IP addresses listed in the previous step.

    gcloud dns record-sets transaction add \
     --name="*" \
     --type=CNAME \
     --zone=ZONE_NAME \
  7. Execute the transaction.

    gcloud dns record-sets transaction execute --zone=ZONE_NAME

Configuring DNS with BIND

Instead of using Cloud DNS, you can use BIND. In that case, follow the directions for configuring DNS with BIND, but use the IAP for TCP domains instead of the general domains.

Using the private VIP

Instead of using the restricted VIP, it might be possible to use the private VIP, depending on how you've configured your perimeter and network. If you prefer to do that, then use

in place of

in the instructions for configuring your DNS records.

Using a shared VPC

If you're using a shared VPC, you must add the host and the service projects to the service perimeter. See Managing service perimeters.

What's next