GCP IAP - Identity aware proxy

IAP is a combination of Identity (Access Management) and Networking Controls to provide granular access to applications.

When you go into IAM, you should see the option to enable IAP. When you take this option - the console automatically retrieves whatever App Engine apps you may have, to let you select from a dropdown.

Once enabled for the app, you can 'Add Members'. That's it - now, any IAM member, can access this App Engine app, WITHOUT having a native login in the app!

  • This lets you enable and disable IAP to restrict access to your app
  • Retrieve IAP user identity information from IAP and pass it into your app

In addition, one can SSH / RDP into compute engine, without a VPN tunnel.

Azure AD Proxy

Authentication proxy can also make on prem apps accessible without a VPN.

After a single sign-on to Azure AD, users can access both cloud and on-premises applications through an external URL or an internal application portal.

However, this isn't the same level of authentication that GCP's IAP provides, which is at the instance level (RDP/SSH). This is simply at the app level - and the app has to have a certain authentication type (forms based or http header based or IWA) to support this.

https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy