This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Enabling IAP for a regional external load balancer

Posted on 05-27-2024 01:08 PM
ericmalen
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I am working on setting up the JIT Access application as IaC using KCC and Config Sync. I currently have this set up, which is completely functional:

JIT Architecture Diagram - Global.png

However, I am trying to make the switch from a global external application load balancer to a regional external application load balancer. My target infrastructure is the following:

JIT Architecture Diagram - Regional.png

When I make the switch to the regional LB, I get an IAP assertion error (Invalid IAP assertion (HTTP 403: error)) when I access the application. I've been told that IAP was not compatible with regional external application load balancers. Is this true?

If not, why would I be getting the IAP assertion error when I switch to the regional load balancer?

Thank you in advance!

**Edit

Wanted to add that I've done my own research on this and I'm not simply going on hearsay. I've found this documentation, and this one, that seem to confirm that IAP is not supported for regional LB's. But then there is this one that says they are compatible. Quite confusing!

4 3 904
Topic Labels
3 REPLIES 3

Posted on --/--/---- --:-- AM
DamianS
Gold 2
Gold 2
Reply posted on --/--/---- --:-- AM

Hello @ericmalen  ,Welcome on Google Cloud Community.

Wouldn't be better to use PAM? 
Documentation for PAM: https://cloud.google.com/iam/docs/pam-overview?_gl=1*zhnrdy*_ga*OTQxMjM5MjU3LjE3MTM4NTQzNjU.*_ga_WH2...

medium.com article about PAM: https://medium.com/google-cloud/setup-temporary-elevated-access-for-google-cloud-with-pam-1ed98d6098...

--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost

Posted on --/--/---- --:-- AM
ericmalen
Bronze 1
Bronze 1
In response to DamianS
Reply posted on --/--/---- --:-- AM

First of all, thank you for the response, much appreciated.

Secondly, that is very intriguing, I was not aware of PAM. From the looks of it it's a GCP native JIT solution? Will definitely be looking into to this! At first glance it does seem like it would be a better solution.

My main question still stands though, is IAP compatible with regional external application load balancers? As I've added in the edit section of my original post, some of the documentation regarding load balancers and IAP seem to be contradicting themselves. I found two sources that say IAP is not compatible with regional external application load balancers, and one that says they are compatible.

Posted on --/--/---- --:-- AM
DamianS
Gold 2
Gold 2
In response to ericmalen
Reply posted on --/--/---- --:-- AM

It's much better than app written by community 😉 ( JIT is awesome btw).  Unfortunately I didn't found any info about regional LB. I've found info about NEGs : https://cloud.google.com/load-balancing/docs/https/setting-up-https-serverless

--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost

Top Labels in this Space
Top Solution Authors
View all