Enabling IAP for on-premises apps

This guide explains how to secure an HTTP or HTTPS based, on-premises app outside ofGoogle Cloud withIdentity-Aware Proxy (IAP) by deploying anIAP connector.

For more information on how IAP secures on-premises apps andresources, see theIAP for on-premises apps overview.

Before you begin

Before you begin, you need the following:

  • An HTTP or HTTPS based on-premises app.
  • A Cloud Identity membergranted theOwner roleon your Google Cloud project.
  • Granted theGoogle APIs Service Agent with owner role.
  • A Google Cloud project withbilling enabled.
  • The external URL to use as the ingress point for traffic toGoogle Cloud. For example,www.hr-domain.com.
  • An SSL or TLS certificate for the DNS hostname that is used as the ingresspoint for traffic to Google Cloud. An existing self-managed orGoogle-managedcertificate can be used. If you don't have a certificate, create one usingLet's Encrypt.
  • If VPC Service Controls is enabled, a VPC network with anegress policyoncp action for the VM service account to the gce-mesh bucket, which is inproject 278958399328. This grants the VPC network permission to retrieve theEnvoy binary file from the gce-mesh bucket.The permission is granted by default, if VPC Service Controls is not enabled.

  • Disable an external IP by completing the following steps:

    1. Enable Private Google Access on the VPC subnet that is used for the IAP connector by checking the box in the configuration. For additional information, seePrivate Google Access.
    2. Ensure that the firewall configuration of the VPC network allows access from the VMs to the IP addresses used by the Google APIs and services. This is implicitly allowed by default, but can be changed by the users explicitly. For information about how to find the IP range, seeIP addresses for default domains.

Deploy a connector for an on-premises app

  1. Go to theIAP admin page.

    Go to the IAP admin page

  2. Begin setting up your connector deployment for an on-premises app by clickingOn-prem connectors setup.

  3. Ensure that the required APIs are loaded by clickingEnable APIs.

  4. Choose whether the deployment should use a Google-managed certificate or onemanaged by you, select the network and subnet for the deployment (or chooseto create a new one), and then clickNext.

  5. Enter the details for an on-premises app you want to add:

    • The external URL of requests coming to Google Cloud. This URL iswhere traffic enters the environment.
    • A name for the app. It will also be used as the name for a newbackend service behind the loadbalancer.

    • The on-prem endpoint type and its details:

      • Fully qualified domain name (FQDN): The domain where the connector should forward the traffic.
      • IP address: One or more zones for where the IAP connector should bedeployed (for example,us-central1-a) and, for each, the IPv4 address ofthe internal destination for the on-premises app to whichIAP routes traffic after a user has been authorized andauthenticated.
      Note: If your on-prem endpoint is an IP address, consider using ahybrid connectivity network endpoint group directly with a load balancer instead of using the IAP on-prem connector.

    • The protocol used by the on-prem endpoint.

    • The port number used by the on-prem endpoint, such as 443 for HTTPS or 80 for HTTP.

  6. ClickDone to save the details for that app. If you want, you can thendefine additional on-premises apps for the deployment.

  7. When you're ready, clickSubmit to begin deployment of the apps you'vedefined.

Once the deployment is complete, your on-prem connector apps appear in theHTTP resources table and IAP can be enabled.

If you choose to let Google auto-generate and manage the certificates, it mighttake a few minutes for the certificates to provision. You can check the statusat the Cloud Load Balancing detail page. For more information about thestatus, seetroubleshooting page.

Manage a connector for an on-premises app

  • You can add more apps to your deployment at any time by clickingOn-prem connectors setup.

  • You can delete the on-premises connector by deleting the entiredeployment:

    1. Go to theDeployment Manager page.

      Go to the Deployment Manager page

    2. In the list of deployments, select the checkbox next to the"on-prem-app-deployment" deployment.

    3. On the top of the page, clickDelete

  • You can delete individual app by clicking the delete button in theOn-prem connectors setupThe on-premises connector must contains at least one app. To remove all app,please delete the entire deployment.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.