Google zero trust overview: Identity-Aware proxy
Before diving into Google IAP I would like to start with google BeyondCorp. BeyondCorp is a spin-up from google to Implement zero-trust networking in the enterprise. This would eliminate the traditional VPN's and grants the access to the services based on user Identity. Coming to Google IAP, it is the implementation framework for Zero trust network. Figure of Google IAP as follows..
The flow of access goes as follows:
- IAP proxy is configured with load balancer which works as a request handler.
- Each request to the service passes through the proxy
- Proxy will check whether the user has the access to the requested resource or not.
- Then it will allow or deny the user to connect to that service.
Demonstration(Service running inside Google Compute instance):
- Google cloud service created from Instance group
- Load balancer configured for back-end service
- Health check
- Firewall rule
- IAP access
Create a cloud service from instance group as follows: We need instance group because the load balancer will be only configured to instance from group.
Create like this.
Navigate to Network Services> Load balancer>New to create Load balancer.
Select the HTTPS Load Balancing and configure.
Mostly we can keep those defaults and select create. We need to note the front-end IP and configure the same IP in the DNS settings.
Configuring Firewall: VPC Network> Firewall Rules:
Disable the default allow rule and add rule to allow traffic from LB IP address(In my case mentioned below). With this rule we are telling firewall to block all the packets and allow only from load balancer. Create a certificate using Letsencrypt:
Creating a IAP Proxy: Security> Identity-Aware proxy:
This screen will automatically display the load balancer and gives green check if configured properly.
Enabling IAP is easy: Toggle IAP to ON and Tick on the backend-service to allow users for the service.
Finally the application can be accessible only to authorized users mentioned in the IAP-Secured Webapp user.
If user is valid then it will permit him to access....