Google zero trust overview: Identity-Aware proxy

Before diving into Google IAP I would like to start with google BeyondCorp. BeyondCorp is a spin-up from google to Implement zero-trust networking in the enterprise. This would eliminate the traditional VPN's and grants the access to the services based on user Identity. Coming to Google IAP, it is the implementation framework for Zero trust network. Figure of Google IAP as follows.. googleiap.PNG

Source: Google.com

The flow of access goes as follows:

  • IAP proxy is configured with load balancer which works as a request handler.
  • Each request to the service passes through the proxy
  • Proxy will check whether the user has the access to the requested resource or not.
  • Then it will allow or deny the user to connect to that service.

Demonstration(Service running inside Google Compute instance):

Prerequisites:

  • Google cloud service created from Instance group
  • Load balancer configured for back-end service
  • Health check
  • Firewall rule
  • IAP access

Cloud service:

Create a cloud service from instance group as follows: We need instance group because the load balancer will be only configured to instance from group. Instancecreation.PNG

Create like this. Instancecreatd.PNG

Navigate to Network Services> Load balancer>New to create Load balancer. HTTPSLB.PNG

Select the HTTPS Load Balancing and configure. Configurelb.PNG

Mostly we can keep those defaults and select create. We need to note the front-end IP and configure the same IP in the DNS settings.

LBconfigured.PNG

Configuring Firewall: VPC Network> Firewall Rules:

Disable the default allow rule and add rule to allow traffic from LB IP address(In my case mentioned below). With this rule we are telling firewall to block all the packets and allow only from load balancer. Create a certificate using Letsencrypt:

Firewall.PNG

Creating a IAP Proxy: Security> Identity-Aware proxy:

This screen will automatically display the load balancer and gives green check if configured properly.

IAP.PNG

Enabling IAP is easy: Toggle IAP to ON and Tick on the backend-service to allow users for the service.

IAP_access.PNG

Finally the application can be accessible only to authorized users mentioned in the IAP-Secured Webapp user.

accessasking.PNG

final.PNG

If user is valid then it will permit him to access....

Accesses.PNG


Last update: June 3, 2020