Securing non-Google Cloud applications using the On-Prem Connector
Stay organized with collections
Save and categorize content based on your preferences.
This guide explains how to secure an HTTP or HTTPS based, on-premises app outside of
Google Cloud with
Identity-Aware Proxy (IAP) by deploying an
IAP connector.
The external URL to use as the ingress point for traffic to
Google Cloud. For example, www.hr-domain.com.
An SSL or TLS certificate for the DNS hostname that is used as the ingress
point for traffic to Google Cloud. An existing self-managed or
Google-managed
certificate can be used. If you don't have a certificate, create one using
Let's Encrypt.
If VPC Service Controls is enabled, a VPC network with an
egress policy
on cp action for the VM service account to the gce-mesh bucket, which is in
project 278958399328. This grants the VPC network permission to retrieve the
Envoy binary file from the gce-mesh bucket.
The permission is granted by default, if VPC Service Controls is not enabled.
Disable an external IP by completing the following steps:
Enable Private Google Access on the VPC subnet that is used for the IAP connector by checking the box in the configuration. For additional information, see Private Google Access.
Ensure that the firewall configuration of the VPC network allows access from the VMs to the IP addresses used by the Google APIs and services. This is implicitly allowed by default, but can be changed by the users explicitly. For information about how to find the IP range, see IP addresses for default domains.
Begin setting up your connector deployment for an on-premises app by clicking
On-prem connectors setup.
Ensure that the required APIs are loaded by clicking Enable APIs.
Choose whether the deployment should use a Google-managed certificate or one
managed by you, select the network and subnet for the deployment (or choose
to create a new one), and then click Next.
Enter the details for an on-premises app you want to add:
The external URL of requests coming to Google Cloud. This URL is
where traffic enters the environment.
A name for the app. It will also be used as the name for a new
backend service behind the load
balancer.
The on-prem endpoint type and its details:
Fully qualified domain name (FQDN): The domain where the connector should forward the traffic.
IP address: One or more zones for where the IAP connector should be
deployed (for example, us-central1-a) and, for each, the IPv4 address of
the internal destination for the on-premises app to which
IAP routes traffic after a user has been authorized and
authenticated.
The protocol used by the on-prem endpoint.
The port number used by the on-prem endpoint, such as 443 for HTTPS or 80 for HTTP.
Click Done to save the details for that app. If you want, you can then
define additional on-premises apps for the deployment.
When you're ready, click Submit to begin deployment of the apps you've
defined.
Once the deployment is complete, your on-prem connector apps appear in the
HTTP resources table and IAP can be enabled.
If you choose to let Google auto-generate and manage the certificates, it might
take a few minutes for the certificates to provision. You can check the status
at the Cloud Load Balancing detail page. For more information about the
status, see
troubleshooting page.
Manage a connector for an on-premises app
You can add more apps to your deployment at any time by clicking
On-prem connectors setup.
You can delete the on-premises connector by deleting the entire
deployment:
In the list of deployments, select the checkbox next to the
"on-prem-app-deployment" deployment.
On the top of the page, click Delete
You can delete individual app by clicking the delete button in the
On-prem connectors setup
The on-premises connector must contains at least one app. To remove all app,
please delete the entire deployment.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Securing non-Google Cloud applications using the On-Prem Connector\n\nThis guide explains how to secure an HTTP or HTTPS based, on-premises app outside of\nGoogle Cloud with\n[Identity-Aware Proxy (IAP)](/iap/docs/concepts-overview) by deploying an\nIAP connector.\n\nBefore you begin\n----------------\n\nBefore you begin, you need the following:\n\n- An HTTP or HTTPS based on-premises app.\n- A Cloud Identity member [granted the\n **Owner** role](/iam/docs/granting-changing-revoking-access#grant_access) on your Google Cloud project.\n- Granted the [Google APIs Service Agent](/iam/docs/service-agents#google-apis-service-agent) with owner role.\n- A Google Cloud project with [billing enabled](/billing/docs/how-to/modify-project).\n- The external URL to use as the ingress point for traffic to Google Cloud. For example, `www.hr-domain.com`.\n- An SSL or TLS certificate for the DNS hostname that is used as the ingress point for traffic to Google Cloud. An existing self-managed or [Google-managed](/load-balancing/docs/ssl-certificates#managed-certs) certificate can be used. If you don't have a certificate, create one using [Let's Encrypt](https://letsencrypt.org/).\n- If VPC Service Controls is enabled, a VPC network with an [egress policy](/vpc-service-controls/docs/ingress-egress-rules#egress_rules_reference) on `cp` action for the VM service account to the gce-mesh bucket, which is in project 278958399328. This grants the VPC network permission to retrieve the Envoy binary file from the gce-mesh bucket. The permission is granted by default, if VPC Service Controls is not enabled.\n- Disable an external IP by completing the following steps:\n\n 1. Enable Private Google Access on the VPC subnet that is used for the IAP connector by checking the box in the configuration. For additional information, see [Private Google Access](https://cloud.google.com/vpc/docs/private-google-access).\n 2. Ensure that the firewall configuration of the VPC network allows access from the VMs to the IP addresses used by the Google APIs and services. This is implicitly allowed by default, but can be changed by the users explicitly. For information about how to find the IP range, see [IP addresses for default domains](https://cloud.google.com/vpc/docs/configure-private-google-access#ip-addr-defaults).\n\nDeploy a connector for an on-premises app\n-----------------------------------------\n\n1. Go to the [IAP admin page](https://console.cloud.google.com/security/iap).\n\n [Go to the IAP admin page](https://console.cloud.google.com/security/iap)\n2. Begin setting up your connector deployment for an on-premises app by clicking\n **On-prem connectors setup**.\n\n3. Ensure that the required APIs are loaded by clicking **Enable APIs**.\n\n4. Choose whether the deployment should use a Google-managed certificate or one\n managed by you, select the network and subnet for the deployment (or choose\n to create a new one), and then click **Next**.\n\n5. Enter the details for an on-premises app you want to add:\n\n - The external URL of requests coming to Google Cloud. This URL is where traffic enters the environment.\n - A name for the app. It will also be used as the name for a new [backend service](/load-balancing/docs/backend-service) behind the load balancer.\n - The on-prem endpoint type and its details:\n\n - Fully qualified domain name (FQDN): The domain where the connector should forward the traffic.\n - IP address: One or more zones for where the IAP connector should be deployed (for example, `us-central1-a`) and, for each, the IPv4 address of the internal destination for the on-premises app to which IAP routes traffic after a user has been authorized and authenticated.\n\n | **Note:** If your on-prem endpoint is an IP address, consider using a [hybrid connectivity network endpoint group](https://cloud.google.com/load-balancing/docs/negs/hybrid-neg-concepts#use-case_routing_traffic_to_an_on-premises_location_or_another_cloud) directly with a load balancer instead of using the IAP on-prem connector.\n - The protocol used by the on-prem endpoint.\n\n - The port number used by the on-prem endpoint, such as 443 for HTTPS or 80 for HTTP.\n\n6. Click **Done** to save the details for that app. If you want, you can then\n define additional on-premises apps for the deployment.\n\n7. When you're ready, click **Submit** to begin deployment of the apps you've\n defined.\n\nOnce the deployment is complete, your on-prem connector apps appear in the\n**HTTP resources** table and IAP can be enabled.\n\nIf you choose to let Google auto-generate and manage the certificates, it might\ntake a few minutes for the certificates to provision. You can check the status\nat the Cloud Load Balancing detail page. For more information about the\nstatus, see\n[troubleshooting page](/load-balancing/docs/ssl-certificates/troubleshooting#certificate-managed-status).\n\nManage a connector for an on-premises app\n-----------------------------------------\n\n- You can add more apps to your deployment at any time by clicking **On-prem connectors setup**.\n- You can delete the on-premises connector by deleting the entire\n deployment:\n\n 1. Go to the [Deployment Manager page](https://console.cloud.google.com/dm/deployments).\n\n [Go to the Deployment Manager page](https://console.cloud.google.com/dm/deployments)\n 2. In the list of deployments, select the checkbox next to the\n \"on-prem-app-deployment\" deployment.\n\n 3. On the top of the page, click **Delete**\n\n- You can delete individual app by clicking the delete button in the\n **On-prem connectors setup**\n The on-premises connector must contains at least one app. To remove all app,\n please delete the entire deployment.\n\nNext steps\n----------\n\n- Set richer context rules by [applying access levels](/chrome-enterprise-premium/docs/access-levels).\n- See access requests by [enabling Cloud Audit Logs](/chrome-enterprise-premium/docs/audit-logs).\n- Learn more about [IAP](/iap/docs/concepts-overview)."]]
