Cloud Identity-Aware Proxy

Google Cloud Identity-Aware Proxy (IAP) controls access to your cloud applications and VMs running on GCP. It verifies user identity and context before granting access, enabling you to adopt a zero-trust access model without requiring a VPN.

Key Features:

1. Zero-trust access - Verify user identity and device context for every request, regardless of network location.

2. No VPN required - Employees can securely access internal apps from anywhere without VPN.

3. App Engine & GKE - Protect web applications on App Engine, GKE Ingress, and Cloud Run.

4. SSH/RDP tunneling - Secure SSH and RDP access to Compute Engine VMs without external IPs.

5. Context-aware access - Combine with Access Context Manager to enforce device policies.

The below example shows how to enable IAP for a Cloud Run service and tunnel SSH via IAP.

It gives the following output,

IAP enabled on backend service [my-backend].
IAM policy updated: [email protected] -> roles/iap.httpsResourceAccessor

SSH via IAP:
External IP not required.
Tunnel established through IAP.
Connected to my-private-vm (10.128.0.5)

IAP vs VPN:

Cloud IAP - Per-application access control. Users access only specific apps, not the entire network. Better for BYOD and remote workers accessing specific internal tools.

Cloud VPN - Network-level access to entire VPC. Better for server-to-server connectivity or when broad network access is needed.