Setting up Cloud IAP for Compute Engine

This guide describes how to set up a Compute Engine instance with Cloud Identity-Aware Proxy (Cloud IAP). If you already have your Compute Engine instance set up and only need to enable Cloud IAP, see Enabling Cloud IAP for Compute Engine.

Objectives

In this tutorial, you'll learn about the following:

  • Creating a Compute Engine instance template and managed instance group (MIG).
  • Getting a domain name and certificate.
  • Creating an HTTPS load balancer with a certificate.
  • Enabling Cloud IAP.
  • Testing that Cloud IAP is working.

Costs

This tutorial uses billable components of GCP, including:

  • Compute Engine
    • 4 Virtual Machines (VM)
  • Networking
    • Global Load Balancer Forwarding Rule
    • Ingress Traffic

For an estimate of cost based on projected usage, see this Pricing Calculator.

New Cloud Platform users might be eligible for a free trial.

Before you begin

Before you start this tutorial, you'll need the following:

  1. Select or create a GCP project.
    GO TO THE PROJECTS PAGE

  2. Enable billing for your project. Read about how to Modify a project's billing settings

Step 1: Create a Compute Engine template

In the GCP Console, go to the Compute Engine > Create an instance template page and select the project in which you want to create a template.

GO TO THE CREATE AN INSTANCE TEMPLATE PAGE

Use the default values except for the following:

  • Machine type:
    • micro (f1-micro)
  • Access scopes:
    • Set access for each API
    • Compute Engine: Read Only
  • Firewall:
    • Allow HTTP traffic
  • In the Management section, under Automation > Startup script, copy and paste the following script:
    apt-get -y update
    apt-get -y install git
    apt-get -y install virtualenv
    git clone https://github.com/GoogleCloudPlatform/python-docs-samples
    cd python-docs-samples/iap
    virtualenv venv
    source venv/bin/activate
    pip install -r requirements.txt
    cat example_gce_backend.py |
      sed -e "s/YOUR_BACKEND_SERVICE_ID/$(gcloud compute backend-services describe my-backend-service --global --format="value(id)")/g" |
      sed -e "s/YOUR_PROJECT_ID/$(gcloud config get-value account | tr -cd "[0-9]")/g" > real_backend.py
    gunicorn real_backend:app -b 0.0.0.0:80
    
    When you're finished updating values, click Create to create the template.

Step 2: Create a Managed Instance Group

In the GCP Console, go to the Compute Engine > Create a new instance group page and select the project in which you want to create a template.

GO TO THE CREATE AN INSTANCE GROUP PAGE

Use the default values except for the following:

  • Name: my-managed-instance-group
  • Location: Multi-zone
  • Instance template: Select the instance template you created in Step 1
  • Number of instances: 3
  • Health check: select Create a health check, then enter the following values:
    • Name: my-health-check
    • Protocol: HTTP When you're finished, click Save and continue to use this health check.

When you're finished updating values, click Create to create the Managed Instance Group (MIG).

Step 3: Get a domain name and certificate

To use the Load Balancer with HTTPS traffic, you'll need a domain name and a signed certificate. You can register a domain on Google Domains, or use the domain registrar of your choice. Register your domain before you continue this guide.

Set up your certificate

Let's Encrypt is a free, not-for-profit Certificate Authority (CA). Using their services, you'll create a certificate that identifies your website to your users.

Your CA has to verify that you own the domain name you registered. In the steps below, you'll create a VM to authenticate your domain with the CA.

Create a VM to authenticate your domain ownership

In the GCP Console, go to the Compute Engine > Create an instance page.

GO TO THE CREATE AN INSTANCE PAGE

Use the default values except for the following:

  • Name: certbot-vm
  • Machine type: micro (f1-micro)
  • Access scopes:
    • Set access for each API
    • Compute Engine: Read/Write
  • Boot disk image:
    • Debian GNU/Linux 9 (stretch)
  • Firewall:
    • Allow HTTP traffic
    • Allow HTTPS traffic

When you're finished updating values, click Create to create the VM instance. Note the External IP address of the VM you just created. You'll need it in the next step.

Set up your domain to point to the VM

To set up your domain to point to the VM, follow the steps below to configure A records:

  1. Sign in to your domain's account at your domain host.
  2. Find the page to update your domain's DNS records. This page might be called something like "DNS Management," "Name Server Management," or "Advanced Settings."
  3. Change your A records to the following values:
    • Name/Host/Alias: @
    • Value: the External IP address of the VM you created to authenticate your domain ownership above.
    • TTL: the default for your registrar, or 86400 (one day).
  4. Wait for the DNS record to update. It can take up to one day for the record you added to propagate.

To learn more, see About A records.

Test your server

To test that your server is working correctly, follow the steps below:

  1. In the GCP Console, go to the Compute Engine > VM Instances page.
    GO TO THE VM INSTANCES PAGE

  2. Under Connect for certbot-vm, click SSH.

  3. Run the following commands to run a small web server on your VM:

      mkdir web
      cd web
      echo "Hello" > index.html
      sudo busybox httpd -v -f
    
  4. In a web browser, go to the domain name you registered earlier. Your web browser should display Hello, and your SSH session should display a message that contains ... response:200. If not, wait a few minutes, then repeat this step.

  5. After the test is successful, press Ctrl+C to stop the web server.

Create a certificate

To create a certificate, register with Let's Encrypt by running the following commands on the VM where YOUR_DOMAIN is your domain name, not including protocol:

sudo pkill busybox
sudo apt-get install -y certbot
sudo certbot certonly --standalone -d YOUR-DOMAIN

During this process, Let's Encrypt may request an email address so it can send a reminder when your certificate is going to expire (by default, 3 months after it's issued). You must also agree to the Terms of Service set by Let's Encrypt.

When you're successfully registered, you should see a message that reads Congratulations! Your certificate and chain have been saved at...

Add the certificate to your project

To add the certificate to your project, run the following commands on the VM:

sudo su
cd /etc/letsencrypt/live/YOUR_DOMAIN
gcloud compute ssl-certificates create my-cert --certificate=fullchain.pem --private-key=privkey.pem

After you've successfully created your certificate, you should see a message that's similar to: Created [https://www.googleapis.com/compute/v1/projects/example-project/global/sslCertificates/my-cert]

Before you continue, close the SSH session.

Step 4: Create a load balancer

Before you start this step, make sure you closed the SSH session you started in the previous step. When you're ready, follow the steps below to create a load balancer:

  1. In the GCP Console, go to the Network Services > Create a load balancer page and select the project for which you want to create a load balancer.
    GO TO THE CREATE A LOAD BALANCER PAGE

  2. Under HTTP(S) Load Balancing, click Start configuration.

  3. On the New HTTP(S) load balancer page that appears, enter a Name for your load balancer.
  4. Click Backend configuration, then select Backend services > Create a backend service.
  5. On the Create back-end service panel, in the Name box, enter my-backend-service.
  6. Under New backend, use the default values except for the following:
    • Instance group: my-managed-instance-group
  7. Under Health check, select my-health-check.
  8. When you're finished updating values, click Create. The New HTTP(S) load balancer panel reappears.
  9. Click Host and path rules to load the default values. You don't need to add any rules.
  10. Click Frontend configuration. Use the default values except for the following:
    • Protocol: HTTPS
    • IP address: click Create IP address
      • Enter a Name to associate with your new static IP address.
      • Click Reserve to reserve the static IP address.
    • Certificate: my-cert
  11. When you're finished entering frontend configuration values, click Done. The New HTTP(S) load balancer panel reappears.
  12. Under New HTTP(S) load balancer, click Create. The Load balancing page appears and your new load balancer will be created in the list of load balancers.
  13. After the GCP Console finishes creating the new load balancer, click the name of the load balancer and note the external IP address under Details > Frontend. You will need it in the next step.

Set up your domain to point to the load balancer

To set up your domain to point to the load balancer, configure A records by following the steps below:

  1. Sign in to your domain's account at your domain host.
  2. Find the page to update your domain's DNS records. This page might be called something like "DNS Management," "Name Server Management," or "Advanced Settings."
  3. Change your A records to the following values:
    • Name/Host/Alias: @
    • Value: the external IP address of the load balancer you created above. Don't include the port :443 in your DNS record.
    • TTL: the default for your registrar, or 86400 (one day).
  4. Wait for the DNS record to update. It can take up to a day for the record you just added to propagate.
  5. To test the load balancer, use a web browser to go to your domain with an https:// protocol.
    • If the load balancer isn't set up yet, you'll see "HTTP 502" errors.
    • When the load balancer is ready, you'll see "Unauthorized request."

To learn more, see About A records.

Restart your VMs

To correctly authenticate requests from Cloud IAP, you must restart the VMs in your MIG by following the steps below:

  1. In the GCP Console, go to the Compute Engine > Instance groups page.
    GO TO THE INSTANCE GROUPS PAGE
  2. Click my-managed-instance-group.
  3. On the top of the instance group details that appear, click Rolling Restart/Replace.
  4. On the Restart/replace instances of my-managed-instance-group page that appears, set the following values:
    • Operation: Restart
    • Maximum unavailable: 3 instances out of 3 instances
    • Minimum wait time: 0 s
  5. When you're finished updating values, click Restart.

Step 5: Set up Cloud IAP

Configure your firewall

Next, you'll configure your firewall to block access to the underlying VMs and only allow access through Cloud IAP:

  1. Go to the GCP Console VPC network > Firewall rules.
    GO TO THE FIREWALL RULES PAGE
  2. Select the checkbox next to the following rules:
    • default-allow-http
    • default-allow-https
    • default-allow-internal
  3. Click Delete.
  4. Click Create firewall rule and set the following values:
    • Name: allow-iap-traffic
    • Targets: All instances in the network
    • Source IP ranges (press Enter after you paste each value in the box):
      • 130.211.0.0/22
      • 35.191.0.0/16
    • Protocols and ports:
      • Specified protocols and ports
      • tcp:80
  5. When you're finished updating values, click Create.

Set up Cloud IAP

To set up Cloud IAP for your project, follow the steps below:

  1. In the GCP Console, go to the IAM & admin > Identity-Aware Proxy page and select the project for which you want to enable Cloud IAP.
    GO TO THE IDENTITY-AWARE PROXY PAGE
  2. If you haven't configured your project's OAuth consent screen, you'll be prompted to do so:

    1. Go to the OAuth consent screen.
      Configure consent screen
    2. Under Email address, select the email address you want to display as a public contact. This must be your email address, or a Google Group you own.
    3. Enter the Product name you want to display.
    4. Add any optional details you'd like.
    5. Click Save.

    To change information on the OAuth consent screen later, such as the product name or email address, repeat the steps above to configure the consent screen.

  3. Next to my-backend-service, click Off in the IAP column.

  4. In the Turn on IAP window that appears, enter the domain name you registered, not including www.
  5. Check the box next to "I have read the configuration requirements and configured my GCE resource according to documentation."
  6. Click Turn on.

Add members to the access list

Next, you'll add members to the Cloud IAP access list for your project.

  1. On the IAM & admin > Identity-Aware Proxy right side Access section, click Add.
  2. Enter the members you'd like to give access to, including yourself. Members can be:
    • Google Accounts: user@gmail.com
    • Google Groups: admins@googlegroups.com
    • Service accounts: server@example.gserviceaccount.com
    • G Suite domains: example.com

Step 6: Test Cloud IAP

To test that Cloud IAP is working correctly, follow the steps below:

  1. In your web browser, navigate to your domain.
    1. If you see "Unauthorized request", try again in a few minutes.
  2. When you see a Google sign-in screen, sign in using the Google Account you gave access to in the previous step.
  3. You should see a message like "Hi, user@example.com. I am my-managed-instance-group-29z6."
  4. Try refreshing the page. Your browser should show the names of the 3 machines in your managed instance group. This is the load balancer distributing traffic across the VMs in the group.

Congratulations! You've successfully enabled a load-balanced service using Cloud IAP.

Cleaning up

To avoid incurring charges to your Google Cloud Platform account for the resources used in this tutorial:

After you've finished setting up Cloud IAP for Compute Engine, you can clean up the resources you created on GCP so you won't be billed for them in the future. The following sections describe how to delete or turn off these resources.

Deleting the project

The easiest way to eliminate billing is to delete the project you created for the tutorial.

To delete the project:

  1. In the GCP Console, go to the Projects page.

    Go to the Projects page

  2. In the project list, select the project you want to delete and click Delete project. After selecting the checkbox next to the project name, click
      Delete project
  3. In the dialog, type the project ID, and then click Shut down to delete the project.

Deleting instances

To delete a Compute Engine instance:

  1. In the GCP Console, go to the VM Instances page.

    Go to the VM Instances page

  2. Click the checkbox next to the instance you want to delete.
  3. Click the Delete button at the top of the page to delete the instance.

Deleting firewall rules for the default network

To delete a firewall rule:

  1. In the GCP Console, go to the Firewall Rules page.

    Go to the Firewall Rules page

  2. Click the checkbox next to the firewall rule you want to delete.
  3. Click the Delete button at the top of the page to delete the firewall rule.

What's next

  • Try modifying the example app we used in this tutorial to serve other data.
  • Read the Best Practices to understand how to write your own apps and secure them with Cloud IAP.
Was this page helpful? Let us know how we did:

Send feedback about...

Identity-Aware Proxy Documentation