AIM: Enable a few internal websites (hosted on our GCP VMs) to be accessible to the internet w/o VPN. This access must be able to be manually added on a user-by-user or group basis, using Azure as an identity provider.
Situation: We have a few internal websites (like a password reset page, etc) that we want our remote users to be able to access w/o having to use VPN. I have been playing around in the lab and have been able to make this work using IAP, and a HTTPS load balancer. It actually works better than I expected, and we were able to integrate it w/ Microsoft Azure to provide identity verification and assign people's access via the GCP GUI by adding principals and assigning roles.
The problem is that having to use a HTTPS resource means having yet another certificate that we need to track, renew, etc. We already secure these sites w/ certificates internally, using nginx for ssl termination, so I do not want to add yet another cert into this list.
Goal: I'm hoping to just use a TCP Resource in IAP to forward port 443 to nginx, then have the path continue internally as necessary.
Currently in my test lab this only half works. It's "all or nothing". Either it forwards ALL 443 requests allowing anyone who accesses the page externally to get through, or it's off and forwards no one. I need the ability to just "Add Principals" and assign Azure user's access rights, like I can on the HTTP resource.
Am I just missing something, or is this a HTTPS Resource only option?