Setting up IAP for Compute Engine


This guide describes how to set up a Compute Engine instance with Identity-Aware Proxy (IAP). If you already have your Compute Engine instance set up and only need to enable IAP, see Enabling IAP for Compute Engine.

Objectives

In this tutorial, you'll learn about the following:

  • Creating a Compute Engine instance template and managed instance group (MIG).
  • Getting a domain name and certificate.
  • Creating an HTTPS load balancer with a certificate.
  • Enabling IAP.
  • Testing that IAP is working.

Costs

This tutorial uses billable components of Google Cloud, including:

  • Compute Engine
    • 4 Virtual Machines (VM)
  • Networking
    • Global Load Balancer Forwarding Rule
    • Ingress Traffic

For an estimate of cost based on projected usage, see this Pricing Calculator.

New Cloud Platform users might be eligible for a free trial.

Before you begin

Before you start this tutorial, you'll need the following:

  1. Select or create a Google Cloud project.
    GO TO THE PROJECTS PAGE

  2. Enable billing for your project. Read about how to Modify a project's billing settings

Step 1: Create a Compute Engine template

In the Google Cloud console, go to the Compute Engine > Create an instance template page and select the project in which you want to create a template.

GO TO THE CREATE AN INSTANCE TEMPLATE PAGE

Use the default values except for the following:

  • Machine type:
    • micro (f1-micro)
  • Access scopes:
    • Set access for each API
    • Compute Engine: Read Only
  • Firewall:
    • Allow HTTP traffic
  • In the Management section, under Automation > Startup script, copy and paste the following script:
    # Copyright 2021 Google LLC
    #
    # Licensed under the Apache License, Version 2.0 (the "License");
    # you may not use this file except in compliance with the License.
    # You may obtain a copy of the License at
    #
    #      http://www.apache.org/licenses/LICENSE-2.0
    #
    # Unless required by applicable law or agreed to in writing, software
    # distributed under the License is distributed on an "AS IS" BASIS,
    # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    # See the License for the specific language governing permissions and
    # limitations under the License.
    
    apt-get -y update
    apt-get -y install git
    apt-get -y install virtualenv
    git clone https://github.com/GoogleCloudPlatform/python-docs-samples
    cd python-docs-samples/iap
    virtualenv venv -p python3
    source venv/bin/activate
    pip install -r requirements.txt
    cat example_gce_backend.py |
      sed -e "s/YOUR_BACKEND_SERVICE_ID/$(gcloud compute backend-services describe my-backend-service --global --format="value(id)")/g" |
      sed -e "s/YOUR_PROJECT_ID/$(gcloud config get-value account | tr -cd "[0-9]")/g" > real_backend.py
    gunicorn real_backend:app -b 0.0.0.0:80
    

When you're finished updating values, click Create to create the template.

Step 2: Create a Managed Instance Group

In the Google Cloud console, go to the Compute Engine > Create a new instance group page and select the project in which you want to create a Managed Instance Group.

GO TO THE CREATE AN INSTANCE GROUP PAGE

Use the default values except for the following:

  • Name: my-managed-instance-group
  • Location: Multi-zone
  • Instance template: Select the instance template you created in Step 1
  • Number of instances: To change the number of instances, you must first turn off autoscaling.
  • Autoscaling mode: Don't autoscale
  • Health check: select Create a health check, then enter the following values:

    • Name: my-health-check
    • Protocol: HTTP

    Use your new health check by clicking Save and continue.

When you're finished updating values, click Create to create the Managed Instance Group (MIG).

Step 3: Get a domain name and certificate

To use the Load Balancer with HTTPS traffic, you'll need a domain name and a signed certificate. You can register a domain on Google Domains, or use the domain registrar of your choice. Register your domain before you continue this guide.

Set up your certificate

Create a certificate that identifies your website to your users. For information about how to create a certificate, see Using Google-managed SSL certificates.

Your CA has to verify that you own the domain name you registered. In the steps below, you'll create a VM to authenticate your domain with the CA.

Create a VM to authenticate your domain ownership

In the Google Cloud console, go to the Compute Engine > Create an instance page.

GO TO THE CREATE AN INSTANCE PAGE

Use the default values except for the following:

  • Name: certbot-vm
  • Machine type: micro (f1-micro)
  • Access scopes:
    • Set access for each API
    • Compute Engine: Read/Write
  • Boot disk image:
    • Debian GNU/Linux 9 (stretch)
  • Firewall:
    • Allow HTTP traffic
    • Allow HTTPS traffic

When you're finished updating values, click Create to create the VM instance. Note the External IP address of the VM you just created. You'll need it in the next step.

Set up your domain to point to the VM

To set up your domain to point to the VM, follow the steps below to configure A records:

  1. Sign in to your domain's account at your domain host.
  2. Find the page to update your domain's DNS records. This page might be called something like "DNS Management," "Name Server Management," or "Advanced Settings."
  3. Change your A records to the following values:
    • Name/Host/Alias: @
    • Value: the External IP address of the VM you created to authenticate your domain ownership above.
    • TTL: the default for your registrar, or 86400 (one day).
  4. Wait for the DNS record to update. It can take up to one day for the record you added to propagate.

To learn more, see About A records.

Test your server

To test that your server is working correctly, follow the steps below:

  1. In the Google Cloud console, go to the Compute Engine > VM Instances page.
    GO TO THE VM INSTANCES PAGE

  2. Under Connect for certbot-vm, click SSH.

  3. Run the following commands to run a small web server on your VM:

      mkdir web
      cd web
      echo "Hello" > index.html
      sudo busybox httpd -v -f
    
  4. In a web browser, go to the domain name you registered earlier. Your web browser should display Hello, and your SSH session should display a message that contains ... response:200. If not, wait a few minutes, then repeat this step.

  5. After the test is successful, press Ctrl+C to stop the web server.

Create a certificate

To create a certificate, register with Let's Encrypt by running the following commands on the VM where YOUR_DOMAIN is your domain name, not including protocol:

sudo pkill busybox
sudo apt-get install -y certbot
sudo certbot certonly --standalone -d YOUR-DOMAIN

During this process, Let's Encrypt may request an email address so it can send a reminder when your certificate is going to expire (by default, 3 months after it's issued). You must also agree to the Terms of Service set by Let's Encrypt.

When you're successfully registered, you should see a message that reads Congratulations! Your certificate and chain have been saved at...

Add the certificate to your project

To add the certificate to your project, run the following commands on the VM:

sudo su
cd /etc/letsencrypt/live/YOUR_DOMAIN
gcloud compute ssl-certificates create my-cert --certificate=fullchain.pem --private-key=privkey.pem

After you've successfully created your certificate, you should see a message that's similar to: Created [https://www.googleapis.com/compute/v1/projects/example-project/global/sslCertificates/my-cert]

Before you continue, close the SSH session.

Step 4: Create a load balancer

Before you start this step, make sure you closed the SSH session you started in the previous step. When you're ready, follow the steps below to create a load balancer:

  1. In the Google Cloud console, go to the Network Services > Create a load balancer page and select the project for which you want to create a load balancer.
    GO TO THE CREATE A LOAD BALANCER PAGE

  2. Under HTTP(S) Load Balancing, click Start configuration.

  3. Select From Internet to my VMs.

  4. On the New external Application Load Balancer page that appears, enter a Name for your load balancer.

  5. Click Backend configuration, then select Backend services > Create a backend service.

  6. On the Create back-end service panel, in the Name box, enter my-backend-service.

  7. Under New backend, use the default values except for the following:

    • Instance group: my-managed-instance-group
  8. Under Health check, select my-health-check.

  9. When you're finished updating values, click Create. The New HTTP(S) load balancer panel reappears.

  10. Click Host and path rules to load the default values. You don't need to add any rules.

  11. Click Frontend configuration. Use the default values except for the following:

    • Protocol: HTTPS
    • IP address: click Create IP address
      • Enter a Name to associate with your new static IP address.
      • Click Reserve to reserve the static IP address.
    • Certificate: my-cert
  12. When you're finished entering frontend configuration values, click Done.

  13. Click Create. The Load balancing page appears and your new load balancer will be created in the list of load balancers.

  14. After the Google Cloud console finishes creating the new load balancer, click the name of the load balancer and note the external IP address under Details > Frontend. You will need it in the next step.

Set up your domain to point to the load balancer

To set up your domain to point to the load balancer, configure A records by following the steps below:

  1. Sign in to your domain's account at your domain host.
  2. Find the page to update your domain's DNS records. This page might be called something like "DNS Management," "Name Server Management," or "Advanced Settings."
  3. Change your A records to the following values:
    • Name/Host/Alias: @
    • Value: the external IP address of the load balancer you created above. Don't include the port :443 in your DNS record.
    • TTL: the default for your registrar, or 86400 (one day).
  4. Wait for the DNS record to update. It can take up to a day for the record you just added to propagate.
  5. To test the load balancer, use a web browser to go to your domain with an https:// protocol.
    • If the load balancer isn't set up yet, you'll see "HTTP 502" errors.
    • When the load balancer is ready, you'll see "Unauthorized request."

To learn more, see About A records.

Restart your VMs

To correctly authenticate requests from IAP, you must restart the VMs in your MIG by following the steps below:

  1. In the Google Cloud console, go to the Compute Engine > Instance groups page.
    GO TO THE INSTANCE GROUPS PAGE
  2. Click my-managed-instance-group.
  3. On the top of the instance group details that appear, click Rolling Restart/Replace.
  4. On the Restart/replace instances of my-managed-instance-group page that appears, set the following values:
    • Operation: Restart
    • Maximum unavailable: 3 instances out of 3 instances
    • Minimum wait time: 0 s
  5. When you're finished updating values, click Restart.

Step 5: Set up IAP

Configure your firewall

Next, you'll configure your firewall to block access to the underlying VMs and only allow access through IAP:

  1. Go to the Google Cloud console VPC network > Firewall rules.
    GO TO THE FIREWALL RULES PAGE
  2. Select the checkbox next to the following rules:
    • default-allow-http
    • default-allow-https
    • default-allow-internal
  3. Click Delete.
  4. Click Create firewall rule and set the following values:
    • Name: allow-iap-traffic
    • Targets: All instances in the network
    • Source IP ranges (press Enter after you paste each value in the box). The IP ranges are allowlisted because it is a prerequisite for load balancer communication to backends.
      • 130.211.0.0/22
      • 35.191.0.0/16
    • Protocols and ports:
      • Specified protocols and ports
      • tcp:80
  5. When you're finished updating values, click Create.

Set up IAP

To set up IAP for your project, follow the steps below:

  1. In the Google Cloud console, go to the Security > Identity-Aware Proxy page and select the project for which you want to enable IAP.
    GO TO THE IDENTITY-AWARE PROXY PAGE
  2. If you haven't configured your project's OAuth consent screen, you'll be prompted to do so:

    1. Go to the OAuth consent screen.
      Configure consent screen
    2. Under Support email, select the email address you want to display as a public contact. The email address must belong to the currently logged in user account or to a Google Group for which the currently logged in user is a manager or owner.
    3. Enter the Application name you want to display.
    4. Add any optional details you'd like.
    5. Click Save.

    To change information on the OAuth consent screen later, such as the product name or email address, repeat the preceding steps to configure the consent screen.

  3. Next to my-backend-service,

  4. In the Turn on IAP window that appears, select the checkbox next to "I have read the configuration requirements and configured my Compute Engine resource according to documentation."

  5. Click Turn on.

Add principals to the access list

Next, you'll add principals to the IAP access list for your project.

  1. On the IAM & admin > Identity-Aware Proxy right side Access section, click Add.
  2. Enter the principals you'd like to give access to, including yourself, and assign the principals the IAP-secured Web App User role. Principals can be:
    • Google Accounts: user@gmail.com
    • Google Groups: admins@googlegroups.com
    • Service accounts: server@example.gserviceaccount.com
    • Google Workspace domains: example.com

Step 6: Test IAP

To test that IAP is working correctly, follow the steps below:

  1. In your web browser, navigate to your domain.
    1. If you see "Unauthorized request", try again in a few minutes.
  2. When you see a Google sign-in screen, sign in using the Google Account you gave access to in the previous step.
  3. You should see a message like "Hi, user@example.com. I am my-managed-instance-group-29z6."
  4. Try refreshing the page. Your browser should show the names of the 3 machines in your managed instance group. This is the load balancer distributing traffic across the VMs in the group.

Congratulations! You've successfully enabled a load-balanced service using IAP.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources.

After you've finished setting up IAP for Compute Engine, you can clean up the resources you created on Google Cloud so you won't be billed for them in the future. The following sections describe how to delete or turn off these resources.

Deleting the project

The easiest way to eliminate billing is to delete the project that you created for the tutorial.

To delete the project:

  1. In the Google Cloud console, go to the Manage resources page.

    Go to Manage resources

  2. In the project list, select the project that you want to delete, and then click Delete.
  3. In the dialog, type the project ID, and then click Shut down to delete the project.

Deleting instances

To delete a Compute Engine instance:

  1. In the Google Cloud console, go to the VM instances page.

    Go to VM instances

  2. Select the checkbox for the instance that you want to delete.
  3. To delete the instance, click More actions, click Delete, and then follow the instructions.

Deleting firewall rules for the default network

To delete a firewall rule:

  1. In the Google Cloud console, go to the Firewall page.

    Go to Firewall

  2. Select the checkbox for the firewall rule that you want to delete.
  3. To delete the firewall rule, click Delete.

What's next

  • Try modifying the example app we used in this tutorial to serve other data.
  • Read the Best Practices to understand how to write your own apps and secure them with IAP.