This page explains how to secure a Compute Engine instance with Identity-Aware Proxy (IAP).
To secure resources not on Google Cloud, see Securing on-premises apps and resources.
Before you begin
To enable IAP for Compute Engine, you need the following:
- A Google Cloud console project with billing enabled.
- A group of one or more Compute Engine instances, served by a load
balancer.
- Learn about Setting up an external HTTPS load balancer.
- Learn about setting up an internal HTTP load balancer.
- A domain name registered to the address of your load balancer.
- Application code to verify that all requests have an identity.
- Learn about Getting the user's identity.
If you don't have your Compute Engine instance set up already, see Setting up IAP for Compute Engine for a complete walkthrough.
IAP uses a Google-managed OAuth client to authenticate users. Only users within the organization can access the IAP-enabled application. If you want to allow access to users outside of your organization, see Enable IAP for external applications.
You can enable IAP on a Compute Engine backend service or on a Compute Engine forwarding rule. When you enable IAP on a Compute Engine backend service, only that backend service is protected by IAP. When you enable IAP on a Compute Engine forwarding rule, all of the Compute Engine instances behind the forwarding rule are protected by IAP.
Enable IAP on a forwarding rule
You can enable IAP on a forwarding rule by using the load balancer authorization policies framework.
After you enable IAP on a forwarding rule, you can apply permissions to resources.
Enable IAP on a Compute Engine backend service
You can enable IAP on a Compute Engine backend service through that backend service.
console
The Google-managed OAuth client is not available when enabling IAP using the Google Cloud console.
gcloud
API
Next steps
- Set richer context rules by applying access levels.
- See access requests by enabling Cloud Audit Logs.
- Learn more about IAP.