Determine a resource you want to protect. Configure one of the following if
you don't have a resource.
A web app running behind an
HTTPS load balancer
on Google Cloud. This includes web apps like App Engine apps,
apps running on-premises, and apps running in another cloud.
A virtual machine on Google Cloud.
Determine principals that you want to grant and limit access to.
Identity-Aware Proxy (IAP) establishes a central identity awareness layer for apps and
resources accessed by HTTPS and TCP. This means you can control access on
each individual app and resource instead of using network-level firewalls.
Secure your Google Cloud app and all its resources by selecting one of the
following guides:
You can also extend IAP to non-Google Cloud
environments like on-premises as well as other clouds.
To learn more, see the
Securing on-premises apps
guide.
You can control access to administrative services like SSH and RDP on your
backends by setting tunnel resource permissions and creating tunnels that route
TCP traffic through IAP to virtual machine instances.
An access level doesn't take effect until you apply it on a
IAP-secured resources' Identity and Access Management (IAM) policy.
This step is done by adding an
IAM Condition
on the IAP role used to grant access to your resource.
Once you've applied your access level, your resources are now secured with
Chrome Enterprise Premium.
Enabling device trust and security with Endpoint Verification
To further strengthen the security of your Chrome Enterprise Premium secured resources,
you can apply device-based trust and security access control attributes with
access levels.
Endpoint Verification
enables this control.
Endpoint Verification is a Chrome extension for Windows, Mac, and Chrome OS devices.
Access Context Manager references the device
attributes gathered by Endpoint Verification to enforce fine grained access control with
access levels.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Quickstart: Apply Chrome Enterprise Premium to cloud resources\n\nApply Chrome Enterprise Premium to cloud resources\n==================================================\n\nThis page walks through the high level steps of applying Chrome Enterprise Premium to\nyour Google Cloud and on-premises resources.\n\nFor information about how Chrome Enterprise Premium leverages other\nGoogle Cloud offerings, see the\n[Chrome Enterprise Premium access protection overview](/chrome-enterprise-premium/docs/overview).\n\nBefore you begin\n----------------\n\nBefore you make your apps and resources context-aware, you'll need to:\n\n1. If you don't already have [Cloud Identity](/identity) user accounts in\n your organization,\n [create a few Cloud Identity accounts](https://support.google.com/cloudidentity/answer/7332836?hl=en).\n\n2. Determine a resource you want to protect. Configure one of the following if\n you don't have a resource.\n\n - A web app running behind an [HTTPS load balancer](/load-balancing/docs/https/setting-up-https) on Google Cloud. This includes web apps like App Engine apps, apps running on-premises, and apps running in another cloud.\n - A virtual machine on Google Cloud.\n3. Determine principals that you want to grant and limit access to.\n\nIf you're interested in securing Google Workspace apps, see the\n[Google Workspace Chrome Enterprise Premium overview](https://support.google.com/a/answer/9275380?hl=en).\n\nSecuring your apps and resources with IAP\n-----------------------------------------\n\nIdentity-Aware Proxy (IAP) establishes a central identity awareness layer for apps and\nresources accessed by HTTPS and TCP. This means you can control access on\neach individual app and resource instead of using network-level firewalls.\n\nSecure your Google Cloud app and all its resources by selecting one of the\nfollowing guides:\n\n- [App Engine standard and flexible environment](/chrome-enterprise-premium/docs/securing-app-engine)\n- [Compute Engine](/chrome-enterprise-premium/docs/securing-compute-engine)\n- [Google Kubernetes Engine](/chrome-enterprise-premium/docs/securing-kubernetes-engine)\n\nYou can also extend IAP to non-Google Cloud\nenvironments like on-premises as well as other clouds.\nTo learn more, see the\n[Securing on-premises apps](/chrome-enterprise-premium/docs/securing-on-premises)\nguide.\n\nFor more information, see the [IAP documentation](/iap/docs).\n\n### Virtual machine resources\n\nYou can control access to administrative services like SSH and RDP on your\nbackends by setting tunnel resource permissions and creating tunnels that route\nTCP traffic through IAP to virtual machine instances.\n\nTo secure a virtual machine, see the\n[Securing virtual machines](/chrome-enterprise-premium/docs/securing-virtual-machines)\nguide.\n\nCreating an access level with Access Context Manager\n----------------------------------------------------\n\nOnce you've secured your apps and resources with IAP, it's time\nto set richer access policies with\n[access levels](/access-context-manager/docs/overview#access-levels).\n\n[Access Context Manager](/access-context-manager/docs/overview) creates\naccess levels. Access levels can limit access based on the\nfollowing attributes:\n\n- [IP subnetworks](/access-context-manager/docs/access-level-attributes#ip-subnetworks)\n- [Regions](/access-context-manager/docs/access-level-attributes#regions)\n- [Access level dependency](/access-context-manager/docs/access-level-attributes#access-level-dependency)\n- [Principals](/access-context-manager/docs/access-level-attributes#members)\n- [Device policy](/access-context-manager/docs/access-level-attributes#device-policy) (Note that [Endpoint Verification](/chrome-enterprise-premium/docs/apply-resources#enable-endpoint-verification) must be set up.)\n\nCreate an access level by following the\n[Creating an access levels](/chrome-enterprise-premium/docs/access-levels#creating-an-access-level)\nguide.\n\nApplying access levels\n----------------------\n\nAn access level doesn't take effect until you apply it on a\nIAP-secured resources' Identity and Access Management (IAM) policy.\nThis step is done by adding an\n[IAM Condition](/chrome-enterprise-premium/docs/access-protection#applying-cloud-iam-conditions)\non the IAP role used to grant access to your resource.\n\nTo apply your access level, see\n[applying access levels](/chrome-enterprise-premium/docs/access-levels#applying_an_access_level).\n\nOnce you've applied your access level, your resources are now secured with\nChrome Enterprise Premium.\n\nEnabling device trust and security with Endpoint Verification\n-------------------------------------------------------------\n\nTo further strengthen the security of your Chrome Enterprise Premium secured resources,\nyou can apply device-based trust and security access control attributes with\naccess levels.\n[Endpoint Verification](/chrome-enterprise-premium/docs/access-protection#Gathering-device-information)\nenables this control.\n\nEndpoint Verification is a Chrome extension for Windows, Mac, and Chrome OS devices.\n[Access Context Manager](/access-context-manager/docs/overview) references the device\nattributes gathered by Endpoint Verification to enforce fine grained access control with\n[access levels](/access-context-manager/docs/overview#access-levels).\n\nFollow the [Endpoint Verification quickstart](/endpoint-verification/docs/quickstart)\nto set up Endpoint Verification for your organization.\n\nWhat's next\n-----------\n\n- Set up [Cloud Audit Logs](/audit-logs)"]]
