Identity-Aware Proxy documentation
Identity-Aware Proxy (IAP) is a cloud-native alternative to
traditional VPNs that manages access to applications running in
Cloud Run, App Engine, Compute Engine, and
GKE.
IAP verifies identity and enforces authorization at the
application level, eliminating broad network access and perimeter-based
security. Every request is evaluated in real time, ensuring only authenticated,
authorized users can reach protected resources.
You can configure context-aware access policies using user identity, group
membership, device security, and contextual signals like location or IP address.
Unlike VPNs, IAP requires no client software or network tunneling.
Users access applications directly through Chrome, while IT teams centrally
define and enforce access policies in one place.
Learn more
Start your proof of concept with $300 in free credit
-
Get access to Gemini 2.0 Flash Thinking
-
Free monthly usage of popular products, including AI APIs and BigQuery
-
No automatic charges, no commitment
Keep exploring with 20+ always-free products
Access 20+ free products for common use cases, including AI APIs, VMs, data warehouses,
and more.
Training
Training and tutorials
Security in Google Cloud
Learn about Google Cloud security controls and techniques. Explore
Google Cloud components and deploy a secure solution. Learn to mitigate
attacks at several points in a Google Cloud infrastructure, including
distributed denial-of-service attacks, phishing attacks, and threats
involving content classification and use.
Use case
Use cases
Employee access through browsers
Users log in through a browser to access internal apps like HR portals
and dashboards. Access ties to identity, role, and device security, ensuring
least-privilege access without network-wide exposure.
Employee Access
Zero Trust
Security
Use case
Use cases
Controlled vendor and contractor access
Give external partners access to specific apps without putting them on
your network. Set time-limited permissions that you can revoke instantly with
no firewall changes required.
Vendor Access
Third-Party
Security
Use case
Use cases
Admin access without open network ports
IAP secures SSH and RDP access to cloud VMs without exposing public IPs.
Eliminate jump hosts, static SSH keys, and long-lived credentials with secure,
identity-based access.
Admin Access
SSH
Security
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-29 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eIdentity-Aware Proxy (IAP) manages access to applications in various environments like App Engine, Compute Engine, and GKE.\u003c/p\u003e\n"],["\u003cp\u003eIAP creates a central authorization layer for applications accessed via HTTPS, enabling application-level access control rather than network-level firewalls.\u003c/p\u003e\n"],["\u003cp\u003eTurning on IAP requires the use of signed headers to ensure app security.\u003c/p\u003e\n"],["\u003cp\u003eA wide array of documentation can be found such as quickstarts, guides, reference and faqs, to help set up and maintain IAP.\u003c/p\u003e\n"]]],[],null,["# Identity-Aware Proxy documentation\n==================================\n\n[Read product documentation](/iap/docs/concepts-overview)\nIdentity-Aware Proxy (IAP) is a cloud-native alternative to\ntraditional VPNs that manages access to applications running in\nCloud Run, App Engine, Compute Engine, and\nGKE.\n\n\nIAP verifies identity and enforces authorization at the\napplication level, eliminating broad network access and perimeter-based\nsecurity. Every request is evaluated in real time, ensuring only authenticated,\nauthorized users can reach protected resources.\n\n\nYou can configure context-aware access policies using user identity, group\nmembership, device security, and contextual signals like location or IP address.\nUnlike VPNs, IAP requires no client software or network tunneling.\nUsers access applications directly through Chrome, while IT teams centrally\ndefine and enforce access policies in one place.\n\n\n[Learn more](/iap/docs/concepts-overview)\n[Get started for free](https://console.cloud.google.com/freetrial) \n\n#### Start your proof of concept with $300 in free credit\n\n- Get access to Gemini 2.0 Flash Thinking\n- Free monthly usage of popular products, including AI APIs and BigQuery\n- No automatic charges, no commitment \n[View free product offers](/free/docs/free-cloud-features#free-tier) \n\n#### Keep exploring with 20+ always-free products\n\n\nAccess 20+ free products for common use cases, including AI APIs, VMs, data warehouses,\nand more.\n\nDocumentation resources\n-----------------------\n\nFind quickstarts and guides, review key references, and get help with common issues. \nformat_list_numbered\n\n### Guides\n\n-\n\n [Cloud IAP conceptual overview](/iap/docs/concepts-overview)\n\n-\n\n [Authenticate users with Google Accounts](/iap/docs/authenticate-users-google-accounts)\n\n-\n\n [Use IAP for TCP forwarding](/iap/docs/using-tcp-forwarding)\n\n-\n\n [Set up programmatic authentication](/iap/docs/authentication-howto)\n\n-\n\n [Configure context-aware access](/iap/docs/cloud-iap-context-aware-access-howto)\n\n-\n\n [Enable IAP for App Engine](/iap/docs/enabling-app-engine)\n\n-\n\n [Enable IAP for Cloud Run](/run/docs/securing/identity-aware-proxy-cloud-run)\n\n-\n\n [Enable IAP for Compute Engine](/iap/docs/enabling-compute-howto)\n\n-\n\n [Manage access to IAP-secured resources](/iap/docs/managing-access)\n\n-\n\n [Secure your app with signed headers](/iap/docs/signed-headers-howto)\n\nfind_in_page\n\n### Reference\n\n-\n\n [Using the API for IAP with App Engine](/iap/docs/reference/app-engine-apis)\n\n-\n\n [Using the API for IAP with Compute Engine apps](/iap/docs/reference/compute-engine-apis)\n\n-\n\n [Cloud IAP for on-premises apps](/iap/docs/cloud-iap-for-on-prem-apps-overview)\n\n-\n\n [TCP forwarding overview](/iap/docs/tcp-forwarding-overview)\n\n-\n\n [IAP client libraries](/iap/docs/reference/libraries)\n\n-\n\n [REST API](/iap/docs/reference/rest)\n\n-\n\n [RPC API](/iap/docs/reference/rpc)\n\ninfo\n\n### Resources\n\n-\n\n [Frequently asked questions](/iap/docs/faq)\n\n-\n\n [Pricing](/iap/pricing)\n\n-\n\n [Release notes](/iap/docs/release-notes)\n\n-\n\n [Get support](/iap/docs/getting-support)\n\n-\n\n [Code samples](/iap/docs/samples)\n\nRelated resources\n-----------------\n\nTraining and tutorials \nUse cases \nExplore self-paced training, use cases, reference architectures, and code samples with examples of how to use and connect Google Cloud services. Training \nTraining and tutorials\n\n### Security in Google Cloud\n\n\nLearn about Google Cloud security controls and techniques. Explore\nGoogle Cloud components and deploy a secure solution. Learn to mitigate\nattacks at several points in a Google Cloud infrastructure, including\ndistributed denial-of-service attacks, phishing attacks, and threats\ninvolving content classification and use.\n\n\n[Learn more](/training/course/security-in-google-cloud-platform) \nUse case \nUse cases\n\n### Employee access through browsers\n\n\nUsers log in through a browser to access internal apps like HR portals\nand dashboards. Access ties to identity, role, and device security, ensuring\nleast-privilege access without network-wide exposure.\n\nEmployee Access Zero Trust Security\n\n\u003cbr /\u003e\n\n[Learn more](/iap/docs/concepts-overview) \nUse case \nUse cases\n\n### Controlled vendor and contractor access\n\n\nGive external partners access to specific apps without putting them on\nyour network. Set time-limited permissions that you can revoke instantly with\nno firewall changes required.\n\nVendor Access Third-Party Security\n\n\u003cbr /\u003e\n\n[Learn more](/iap/docs/managing-access) \nUse case \nUse cases\n\n### Admin access without open network ports\n\n\nIAP secures SSH and RDP access to cloud VMs without exposing public IPs.\nEliminate jump hosts, static SSH keys, and long-lived credentials with secure,\nidentity-based access.\n\nAdmin Access SSH Security\n\n\u003cbr /\u003e\n\n[Learn more](/iap/docs/using-tcp-forwarding)\n\nRelated videos\n--------------"]]
