We are trying to eliminate our traditional VPN for internal admin tools. I've heard Identity-Aware Proxy (IAP) is the way to go. How do I configure IAP for applications running on Compute Engine and App Service? Does this fully support BeyondCorp principles, and how do we handle access for external vendors who don't have corporate accounts?
3 answers
Cloud IAP is the cornerstone of a Zero Trust strategy on GCP. For App Service, it’s a simple toggle in the console. For Compute Engine, you’ll need to put your VMs behind a Global HTTP(S) Load Balancer and then enable IAP on the backend service. This ensures that only authenticated users with the "IAP-secured Web App User" role can reach your app. For external vendors, you can use Identity Platform to allow them to sign in using their own email (OIDC/SAML) without needing to create a full Google account in your workspace.
Are you also considering Access Context Manager to restrict access based on the user's IP address or the health of their device?
IAP is great because it also handles the encryption (HTTPS) for you at the Load Balancer level, which simplifies certificate management.
Exactly, Nancy. It really reduces the complexity of managing SSL/TLS for every single internal micro-service you might have running.
You definitely should, Richard. Access Context Manager is what turns simple identity checks into true BeyondCorp security. You can define "Access Levels" so that an admin can only access the SSH terminal if they are coming from a corporate-owned laptop with an encrypted disk. This prevents a compromised personal device from becoming an entry point into your production environment.