Identity-Aware Proxy With External IP VM

kfklinux · 09-16-2022 04:15 AM

We are going to implement this Identity-Aware Proxy in our GCP Infrastructure but before that, we are worried that if we implement this ( IAP ) then will it impact the traffic of our running application.

we are running all our services on multiple virtual machines which have individual public IPs on them and there are some common ports like 80,443 where the general public access the application. if we implement this Identity Aware proxy will it affect our current application architecture if yes then how will it impact us?

As I read somewhere that this Identity-Aware Proxy will not work if the VM has the External or Public IP on them. it only works when the VM not having any external connection.

emelgoza

Hi,

It seems there is a misunderstanding related to the IAP functionality because it does not work according to the Ip address. The intention of IAP is to establish a central authorization layer for applications accessed by HTTPS, so you can use an application-level access control model instead of relying on network-level firewalls. Where your responsibilities are:

Configure your firewall and load balancer to protect against traffic that doesn't come through the serving infrastructure.

As an alternative if you're using Cloud Run, you can restrict access by using ingress controls.

Use signed headers or the App Engine standard environment Users API.

IAP can be used when you want to enforce access control policies for apps or resources you can consult the chart for further reference.

If you have doubts about how to implement it, you can consult the following link.