IAP can be used to protect web resources (layer 7) as well as TCP resources (layer 4)

Layer 4 Use Case

VMs are being managed using SSH and RDP. The ask (for security posture) is to disallow ANY public IPs on the VMs.

This rules out bastion hosts. This also rules out NAT Instances / NAT Gateways - as these all come with Public IPs. So - how exactly does one still manage these VMs without assigning Public IPs?

Identity Aware Proxy - is, as the name suggests, a Proxy Server within GCP that allows traffic (to VM resources) without exposing the VMs themselves. The Layer 4 traffic is wrapped in HTTPs, and Cloud IAM is used to perform authentication on the requests. All this is handled by the IAP service, once you have configured VMs for IAP access.

Layer 7 Use Case

You want to control access to an HTTPS resource  hosted on Google App Engine. One way would be app native users. However, you would like to grant access to additional users, such as vendors etc.

IAP allows you to configure access to an App Engine Deployed app, using the same logic as the layer 4 grant above. Access is via a proxy server (with an allowed set of IP addresses).

The On Premises Use Case

GCP's IAP service also works to protect access to on-premises applications. More on that in a future post.

Sample github source (not mine)

IAP and Compute Engine

Summary

Cloud IAP can be used to protect Layer 4 and Layer 7 access to GCP hosted resources  - primarily VMs and App Engine deployed apps.