Also Read

Protecting Bastion Hosts on AWS and GCP

Cloud IAP - Notes from the field

Cloud IAP Overview

Cloud IAP allows user identities to be verified over HTTPS.

Sample Use Case -  remote workers can bypass the need for a company VPN, which only lets users in from their on-premises networks.

Instead, access is via an internet-accessible URL.  Since there isn't the overhead of a traditional VPN, manageability is simplified.

For App Authentication

One can also think of Cloud IAP as a Central Authorization Layer for Applications.

Once an identity has been AUTHENTICATED, it can be granted access to a variety of HTTP/HTTPS applications (authorization).

What Google does is provide you with a private IP (from a pool of IP addresses), once you authenticate with your IAM credentials. So - it is like a VPN Tunnel (Private IP to Private Resource access)

You HAVE to whitelist a set of Google IP addresses for IAP to work (Basically,  configure a firewall rule  to block access to the VMs that are hosting your application and only allow access through IAP IP Address range).