Overview
- IAP
- Central authorization layer for HTTP applications
- Secure resources with authorization and authentication—enforces policies
- No VPN required
- Works with Google Cloud load balancers and IAM—only authenticated requests allowed
- External load balancers—HTTPS
- Internal load balancers—HTTP/S
- Works with App Engine, Compute Engine, Kubernetes Engine, Cloud Run and on-prem
Signed Headers
- Secure app with signed headers
- IAP uses JSON Web Tokens (JWT) to ensure request to app is authorized
- App ensures JWT is valid before responding
- Additional security check
- Protects app from:
- IAP being accidentally disabled
- Misconfigured firewalls
- Access from within project
- GCE and GKE health checks don’t include JWT headers
- Ensure check is skipped for health check paths