Cloud IAP (Identity Aware Proxy)
Also Read
Protecting Bastion Hosts on AWS and GCP
Cloud IAP - Notes from the field
Cloud IAP Overview
Cloud IAP allows user identities to be verified over HTTPS.
Sample Use Case - remote workers can bypass the need for a company VPN, which only lets users in from their on-premises networks.
Instead, access is via an internet-accessible URL. Since there isn't the overhead of a traditional VPN, manageability is simplified.
For App Authentication
One can also think of Cloud IAP as a Central Authorization Layer for Applications.
Once an identity has been AUTHENTICATED, it can be granted access to a variety of HTTP/HTTPS applications (authorization).
What Google does is provide you with a private IP (from a pool of IP addresses), once you authenticate with your IAM credentials. So - it is like a VPN Tunnel (Private IP to Private Resource access)
You HAVE to whitelist a set of Google IP addresses for IAP to work (Basically, configure a firewall rule to block access to the VMs that are hosting your application and only allow access through IAP IP Address range).
Leave a Reply