This page explains how to secure a Compute Engine instance with Identity-Aware Proxy (IAP) .
To secure resources not on Google Cloud, see Securing on-premises apps and resources .
Before you begin
To enable IAP for Compute Engine, you need the following:
- A Google Cloud console project with billing enabled.
- A group of one or more Compute Engine instances, served by a load
balancer.
- Learn about Setting up an external HTTPS load balancer .
- Learn about setting up an internal HTTP load balancer .
- A domain name registered to the address of your load balancer.
- Application code to verify that all requests have an identity.
- Learn about Getting the user's identity .
If you don't have your Compute Engine instance set up already, see Setting up IAP for Compute Engine for a complete walkthrough.
IAP uses a Google-managed OAuth client to authenticate users. Only users within the organization can access the IAP-enabled application. If you want to allow access to users outside of your organization, see Enable IAP for external applications .
You can enable IAP on a Compute Engine backend service or on a Compute Engine forwarding rule . When you enable IAP on a Compute Engine backend service, only that backend service is protected by IAP. When you enable IAP on a Compute Engine forwarding rule, all of the Compute Engine instances behind the forwarding rule are protected by IAP.
Enable IAP on a forwarding rule
You can enable IAP on a forwarding rule by using the load balancer authorization policies framework.
After you enable IAP on a forwarding rule, you can apply permissions to resources .
Enable IAP on a Compute Engine backend service
You can enable IAP on a Compute Engine backend service through that backend service.
console
The Google-managed OAuth client is not available when enabling IAP using the Google Cloud console.
gcloud
API
Next steps
- Set richer context rules by applying access levels .
- See access requests by enabling Cloud Audit Logs .
- Learn more about IAP .
