Secure access to SaaS applications

A security gateway enforces the zero trust access framework by using context-aware access controls, thereby offering precise control to your SaaS applications.

How securing access to SaaS applications works

Following is a high level overview of how a security gateway protects your SaaS applications:

1. Client-side browser settings route application traffic through a security gateway proxy.
2. The security gateway checks context-aware access policies to authorize client (user and device) access.
3. If allowed, the gateway forwards traffic to the application using unique source IP addresses assigned to that gateway and Google Cloud region. You can use those dedicated source IP addresses to implement IP allowlisting rules.

Before you begin

Before setting up the security gateway, verify that you have the following:

• A Chrome Enterprise Premium license
• Access to the Google Admin console with administrator permissions
• A Google Cloud project with an assigned billing account and the following APIs enabled:
  • BeyondCorp API
  • (Optional) Access Context Manager API
• The following Identity and Access Management (IAM) role granted to the administrator setting things up: Project level: Cloud BeyondCorp Admin (beyondcorp.admin).
• A SaaS application that you want to protect. The application must support IP allowlisting to enforce security checks by the Google infrastructure.

Set up your shell environment

To streamline the setup process and interact with the security gateway API's, define the following environment variables in your working shell.

• General parameters

  API="beyondcorp.googleapis.com"
  API_VERSION=v1
  PROJECT_ID=MY_PROJECT_ID
  APPLICATION_NAME=MY_APPLICATION_NAME
  HOST_NAME=MY_HOST_NAME
  

  Replace the following:

  • MY_PROJECT_ID: The project ID where the security gateway is created.
  • MY_APPLICATION_NAME: The name of your SaaS application. For example, github. The name can be a maximum of 63 characters, and can contain lowercase letters, numbers, and hyphens. The first character should be a letter, and the last character can be a letter or a number.

  • MY_HOST_NAME: The hostname of your SaaS application. For example, github.com. The hostname can be up to 253 characters long, and must adhere to one of the following formats:

    • A valid IPv4 address
    • A valid IPv6 address
    • A valid DNS name
    • An asterisk (*)
    • An asterisk (*) followed by a valid DNS name

• Security gateway parameters

  SECURITY_GATEWAY_ID=MY_SECURITY_GATEWAY_ID
  SECURITY_GATEWAY_DISPLAY_NAME=MY_SECURITY_GATEWAY_DISPLAY_NAME
  

  Replace the following:

  • MY_SECURITY_GATEWAY_ID: The ID of the security gateway that you want to create. The ID can be a maximum of 63 characters, and can contain lowercase letters, numbers, and hyphens. The first character should be a letter, and the last character can be a letter or a number.
  • MY_SECURITY_GATEWAY_DISPLAY_NAME: The human readable name of the security gateway. The name can be up to 63 characters long and can include any printable characters.

Create a security gateway

A security gateway is a fundamental building block for establishing secure connections to your applications. It allocates a dedicated project and network, providing isolation and security.

To create a security gateway, complete the following steps.

1. Create a file named securityGateway.json using the following example.

   {
      "display_name": "MY_SECURITY_GATEWAY_DISPLAY_NAME",
      "hubs": { "us-central1": {} }
   }
   

   In the example, display_name is the human readable display name of the security gateway, and hubs represents the regional resources required for enabling the egress connectivity to the target application. You can specify the following regions:

   • africa-south1
   • asia-east1
   • asia-south1
   • asia-south2
   • asia-southeast1
   • europe-central2
   • europe-north1
   • europe-southwest1
   • europe-west1
   • europe-west2
   • europe-west3
   • europe-west4
   • europe-west8
   • europe-west9
   • northamerica-northeast1
   • northamerica-northeast2
   • northamerica-south1
   • southamerica-east1
   • southamerica-west1
   • us-central1
   • us-east1
   • us-east4
   • us-east5
   • us-west1

2. Create a security gateway resource by calling the Create API.

   curl \
   -H "Authorization: Bearer $(gcloud auth print-access-token)" \
   -H "Content-Type: application/json" \
   -X POST \
   -d "{ \"name\": \"APPLICATION_NAME\", \"endpoint_matchers\": [{hostname: \"HOST_NAME\"}] }" \
   "https://API/API_VERSION/projects/PROJECT_ID/locations/global/securityGateways/SECURITY_GATEWAY_ID/applications?application_id=APPLICATION_NAME"
   

Configure a SaaS application

After you create a security gateway, you can configure your SaaS applications to use the security gateway for secure access.

1. Get the IP addresses allocated by the security gateway (with hubs).

   curl \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H
   "Content-Type: application/json" \
   "https://API/API_VERSION/projects/PROJECT_ID/locations/global/securityGateways/SECURITY_GATEWAY_ID"
   

   Following is a sample GET response of a security gateway with hubs. In the example, the hubs are created in the us-central1 and us-east1 regions and all of the IP addresses returned in the response should be allowed in the SaaS application.

   {
    "securityGateways": [
      {
        "name": "projects/PROJECT_ID/locations/global/securityGateways/SECURITY_GATEWAY_ID",
        "createTime": "CREATE_TIME",
        "updateTime": "UPDATE_TIME",
        "displayName": "My security gateway",
        "state": "RUNNING",
        "hubs": {
          "us-central1": {
            "internetGateway": {
              "assignedIps": [
                "IP_ADDRESS_1",
                "IP_ADDRESS_2",
                "IP_ADDRESS_3",
                "IP_ADDRESS_4",
                "IP_ADDRESS_5"
              ]
            }
          },
          "us-east1": {
            "internetGateway": {
              "assignedIps": [
                "IP_ADDRESS_1",
                "IP_ADDRESS_2",
                "IP_ADDRESS_3",
                "IP_ADDRESS_4",
                "IP_ADDRESS_5"
              ]
            }
          }
        }
      }
    ]
   }
   

2. Add the IP addresses to the IP allowlist of your SaaS application. For example, for a GitHub application, you can follow this guide: Managing allowed IP addresses for your organization.

Create an application resource

The following information guides you through the process of setting up and configuring a security gateway application resource.

Create a security gateway application resource in Google Cloud

The Google Cloud application resource is a sub-resource of the security gateway resource. Create an application resource by calling the Create API.

curl \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-X POST \
-d "{ \"name\": \"APPLICATION_NAME\", \"endpoint_matchers\": [{hostname: \"HOST_NAME\"}] }" \
"https://API/API_VERSION/projects/PROJECT_ID/locations/global/securityGateways/SECURITY_GATEWAY_ID/applications?application_id=APPLICATION_NAME"

Configure Google Chrome proxy mode

To route traffic for the application resource through the security gateway, configure Chrome by applying a PAC file in the Chrome settings in the Google Admin console.

Update or create a PAC file

1. If you have a Proxy Automatic Configuration (PAC) file, add the domains of the application to sites, as shown in the following code block, and then save the file as a .js file.

   If you don't have a PAC file, create a pac_config.js file using the following example.

   function FindProxyForURL(url, host) {
    const PROXY = "HTTPS ingress.cloudproxy.app:443";
    const sites = ["HOST_NAME"]; // add URLs to match all of your CAG app domains
   
    or (const site of sites) {
      if (shExpMatch(url, 'https://' + site + '/*') || shExpMatch(url, '*.' + site + '/*')) {
        return PROXY;
      }
    }
   return 'DIRECT';
   }
   

2. Upload the file so that it is publicly downloadable. For example, you can upload the file to Cloud Storage, and make the file publicly downloadable by granting all users the Storage Object User role on the bucket.

3. To verify that the uploaded file is always the latest version, you can adjust its caching behavior by setting the Cache-Control header to no-cache. This setting prevents browsers and intermediate servers from storing a copy of the file, so that Chrome always downloads the most recent version.

   For more information about Cache-Control and how it affects browser caching, see Cache-Control header.

4. Copy the public URL of the uploaded file.

Update the proxy mode settings

1. Go to the Google Admin console.
2. Click Devices -> Chrome -> Settings.
3. Select an organization unit or group, and then click Proxy mode.
4. In the Proxy mode page, select Always use the proxy auto-config specified below and enter the URL of the PAC file from Cloud Storage.

Configure an access policy

To apply an access policy, you have the two following options:

• Security gateway resource: Apply a policy at the security gateway level to control access to all associated applications.
• Individual application: For more granular control, you can apply an access policy to an individual application.

The following steps demonstrate how to apply a policy at an application level.

1. Create a JSON format file named setIamPolicy.json and add the following.

   {
    "policy": {
      object (POLICY)
    }
   }
   

   Replace POLICY with an IAM allow policy. The etag in the policy should be the same as the etag in the active policy, which you can get by calling the getIamPolicy method.

2. To allow a specific group to use the security gateway, grant the roles/beyondcorp.securityGatewayUser role to the group.

   {
    "policy": {
      "version": 3,
      "bindings": [
        {
          "role": "roles/beyondcorp.securityGatewayUser",
          "members": [
                  "group:"
          ]
        }
      ],
      "etag": "AA1jlb"
    }
   }
   

   See IAM principal for more identifiers, such as serviceAccount, user, group, principal, and principalSet, in policy bindings.

3. Enforce the access policy on the security gateway specified in the JSON file by calling the setIamPolicy API.

   curl \
   -H "Authorization: Bearer $(gcloud auth print-access-token)" \
   -H "Content-Type: application/json" \
   -X POST \
   -d @setIamPolicy.json \
   "https://API/API_VERSION/projects/PROJECT_ID/locations/global/securityGateways/SECURITY_GATEWAY_ID/applications/APPLICATION_NAME:setIamPolicy"
   

You can also set access policies with access levels as a condition, as shown in the following example.

{
  "policy": {
    "version": 3,
    "bindings": [
      {
        "role": "roles/beyondcorp.securityGatewayUser",
        "members": [
                "group:"
        ],
        "condition": {
                "expression": "'accessPolicies/1234567890/accessLevels/in_us' in request.auth.access_levels",
                "title": "Source IP must be in US"
        }
      }
    ],
    "etag": "A1jlb"
  }
}'

Install the Chrome Enterprise Premium extension

The Chrome Enterprise Premium extension is an integral part of security gateway and helps with authentication. Install the extension for all of the users of the security gateway.

1. Go to the Google Admin console.
2. Click Chrome browser -> Apps & Extensions.
3. Click the Users & browsers tab.
4. To add a Chrome extension, click the + button.
5. Search for ekajlcmdfcigmdbphhifahdfjbkciflj, and then force install to all users in the organization unit or group.

6. Click the installed extension, and then go to the Policy for extensions field and provide the following JSON value:

   {
    "securityGateway": {
      "Value": {
        "authentication": {},
        "context": { "resource": "projects/PROJECT_ID/locations/global/securityGateways/SECURITY_GATEWAY_ID" }
      }
    }
   }
   

End user experience

When the setup is complete, end users accessing the protected SaaS application are granted or denied access based on the access policy applied to the application.

Accessing the application in Chrome

The Chrome Enterprise Premium extension is required to direct traffic through the security gateway. The extension is automatically installed through the domain policy.

When users access the SaaS application that you configured, their traffic goes through the security gateway, which checks if they satisfy the access policy. If the users pass the access policy checks, they are granted access to the application.

When browser access to the application is rejected by the authorization policy, users receive an Access denied message.

What's next

• Manage a security gateway

• Troubleshoot security gateway issues