Restrict resource access to specific domains

To improve overall security, IAP by default denies access torequests that do not have a matching Server Name Indication (SNI).IAP also checks the SNI of the load balancer certificate. This allowsIAP to restrict URL redirect to malicious domains. TheIAP allowed domains feature provides an additional securitylayer for your IAP-protected resources. As a resource owneror IAP administrator, you can restrict access toIAP-protected resources to specific domains by configuringthe allowed domains feature.

You can also configure IAP allowed domains in the following scenarios:

  • Your browser or an intermediate proxy is forcing connection pooling: In this scenario, you receive HTTP response 429 and error code51. To resolve the issue, an IAP admin can update the list of allowed domains to include your host name.
  • The host name provided does not match the SSL certificate on the server: In this scenario, you receive error code52. To resolve the issue, an IAP admin can update the list of allowed domains to include your host name.

Configure allowed domains

You can use gcloud or the API to configure allowed domains settings. To configure allowed domains, use the following fields:

  • enable: Boolean. Turns the allowed domains feature on or off.
  • Domains: String. The list of allowed domains. The domains can contain wildcard prefixes, such as*.example.com. Domain names cannot contain a wildcard directly on a public suffix or on a top level domain. Example:*.com,*.co.in.

For more information, seeIapSettings.

To configure IAP allowed domains, complete the following steps:

Console

  1. Go to the IAP page.
    Go to Identity-Aware Proxy.
  2. Select a project, and then select the resource on which you want to enable the allowed domains feature.
  3. OpenSettings for the resource. UnderAllowed domains, selectEnable Allowed Domains.
  4. Specify the list of allowed domains, and then clickSave.

gcloud

Following are some example commands for specifying allowed domains.

For more information, seegcloud iap settings set.

Run the following command:

gcloud iap settings set SETTING_FILE --folder=FOLDER --organization=ORGANIZATION --project=PROJECT --resource-type=RESOURCE_TYPE --service=SERVICE --version=VERSION

WhereSETTING_FILE is:

accessSettings:allowed_domains_settings:enable:truedomains:["*.example.com","*.example.net"]

Replace the following:

  • FOLDER: The folder ID.
  • ORGANIZATION: The organization ID.
  • PROJECT: The project ID.
  • RESOURCE_TYPE: The IAP resource type. Must beapp-engine,iap_web,compute,organization,folder,backend-services,forwarding-rule, orcloud-run.
  • SERVICE: The service name. This is optional whenresource-type iscompute orapp-engine.
  • VERSION: The version name. This is not applicable forcompute, and is optional whenresource-type isapp-engine.

You must specify at least one of the following flags to define the scope forthe settings:

  • --organization=ORGANIZATION
  • --folder=FOLDER
  • --project=PROJECT

API

To configure allowed domains, complete the following steps. For more information about using the API to configure allowed domains, seeIapSettings.

  1. Run the following command to prepare aniap_settings.json file. Update the values as needed.
 {     "access_settings":{         "allowed_domains_settings":{             "enable": true             "domains": [                 "*.example.com",                 "*.exampe.net"             ]         }     } }
  1. Get the resource name by running thegcloud iap settings get command. Copy the name field from the output. You will need the name in the following step.
gcloud iap settings get --organization=ORGANIZATION --folder=FOLDER --project=PROJECT --resource-type=RESOURCE_TYPE --service=SERVICE --version=VERSION
  1. ReplaceRESOURCE_NAME in the following command with the name from the previous step. TheIapSettings will be updated.
curl -X PATCH \-H "Authorization: Bearer $(gcloud auth print-access-token)" \-H "Accept: application/json" \-H "Content-Type: application/json" \-d @iap_settings.json \"https://iap.googleapis.com/v1/RESOURCE_NAME:iapSettings?updateMask=iapSettings.accessSettings.allowedDomainsSettings.enable,iapSettings.accessSettings.allowedDomainsSettings.domains"

Troubleshooting

Allowed domains access issue
If you receiveError code 53, ask an IAP administrator to add your host name to the list of allowed domains.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.