Popular with:
Cloud Engineer
Security Architect
Security Champion
Security Engineer
Cloud Security

Google Cloud Security Tips #2 - Identity Aware Proxy

January 19, 2023
Written by
Joshua Jebaraj

Table of Contents:

  1. How Does IAP Work?
  2. Key Features of IAP Services
  3. Benefits of IAP Services
  4. Final Words

What is Identity Aware Proxy?

In the post-pandemic world, remote working has become a norm, which has increased the chances of data breaches. As per a survey, 20% of organizations have faced security threats because of remote working, and the average data breach cost has increased by USD 137,000.

Suppose a user works on your firm's cloud resources from a separate network or device. In that case, they will either need to enable VPN or go through multi-layered firewalls to authenticate their identity. This can prove to be an immensely tiresome and time-consuming process. 

So, what is the solution to this problem?

Google Cloud Platform's Identity Aware Proxy (IAP) is a feature that eliminates these complications in user authentication through different devices or networks.

How Does IAP Work?

The GCP's IAP service works on a zero-trust model. It intercepts web requests sent to an application and authenticates the person requesting the Google Identity Service, letting only the most authentic requests through. It includes additional information about the authenticated user in the request headers for you to review and verify.


IAP grants access to cloud resources depending on the context of each request, doing away with a device or network-centric limitations. It will check the request URL, browser credentials and user identity, IAM roles, and permissions, among other information, before authenticating a user request. 

Key Features of IAP Services

With the IAP services, you can define access policies centrally, overlooking any need for VPNs and firewalls. Here are the features of IAP services:

  • Centralized access management: With IAP, you can have a single point of control for user access to cloud resources and web applications.
  • Functional with on-premise apps and cloud: IAP safeguards access to applications hosted on any cloud, including Google Cloud and on-premises.
  • Protects apps and VMs: TCP forwarding aids IAP in protecting SSH and RDP access to virtual machines hosted on Google Cloud. VM instances need not have public IP addresses.

In cases where third-party contractors and vendors require limited access to certain parts of a company's Google Cloud resources, IAP does a great job of weeding out unwarranted authentication requests.

Benefits of IAP Services

Suppose your employees are on different devices and networks and do not want to use firewalls or VPNs to authenticate their access requests. In that case, IAP services help streamline your permissions and offer you a well-informed base for all approvals.

  • Easier for cloud admins: With IAP, you can grant access to apps in less time than you would need to implement a VPN. IAP will handle authorization and authentication while your developers work on application logic.
  • Enhanced security: IAP lets admins create and enforce access-control policies founded on attributes like device security status, user identity, and IP address.
  • Hasslefree for remote employees: With IAP, WFH employees and contractors can point web browsers to internet-accessible URLs for accessing specific applications without any VPN.

Final Words

Authenticating users usually necessitates additional code in your software. You can delegate those responsibilities to the Identity-Aware Proxy service for Google Cloud Platform apps. No program changes are required if you only need to restrict access to specific users. If the application requires the user's identity, IAP can offer it with nominal coding changes.

You will learn way more about IAP for Google Cloud with brand-new courses by AppSecEngineer! Train with hands-on labs in GCP security, and get your team in-demand cloud skills.

Source for article
Joshua Jebaraj

Joshua Jebaraj

Joshua Jebaraj is the Creator of GCP-Goat. He works as Security Researcher at we45 focusing on cloud and cloud-native security. He has 3+ years of experience working related to containers and Kubernetes. He has also spoken at conferences like Defcon, Owasp-Seasides, Bsides-Delhi, and Eko-party. When AFK, he can be found watching movies and making memes.

Joshua Jebaraj


Contact Support


1603 Capitol Avenue,
Suite 413A #2898,
Cheyenne, Wyoming 82001,
United States

Copyright AppSecEngineer © 2023