0

M'm trying to use this guide to protect my on-premise app with google identity aware proxy.

I have an on-premise web-app, which is simulated on a gcp VM that is accessible through {public_ip}/scada. What i need to achieve is to enable IAP to protect it.

As long as i have to deploy and configure the IAP connector i need to specify source and destination, as referred in the link and image.

What i don't get so far i what to put as source (entry point on the iap connector) and destination (here maybe need to buy a domain and link the public ip of the VM).

What can i do to configure the source? need to buy an other domain and reserver a static ip to use?

Thanks for helping.

iap connector config

Mark9966
  • 1
  • 1
  • Hi, please edit your post and put your config as text instead of an image. If you need help on markdown, please [refer to this link](https://stackoverflow.com/editing-help) – Donnald Cucharo Dec 10 '20 at 07:42

1 Answers1

1

Per the docs you referenced above:

routing.mapping.source : The URL of requests coming to Google Cloud. This URL is where traffic enters the environment.

routing.mapping.destination: The URL for the on-premises app to which IAP routes traffic after a user has been authorized and authenticated. IAP routes traffic to this URL using TLS and the application hosted there is required to provide an HTTPS endpoint.

That doc links to an additional help file which may be, well, helpful: https://cloud.google.com/iap/docs/cloud-iap-for-on-prem-apps-overview#routing_rules

It has an example that shows actual FQDNs rather than IP addresses. It sounds like you're thinking about this from a purely IP routing standpoint, rather than a business standpoint (e.g. "we want all traffic that's going to www.mydomain.com to just go to mydomain.com").

ingernet
  • 1,342
  • 2
  • 12
  • 29
  • Hi! Thanks for your answer, so do you suggest, as long as I have only public Ip on gcp VM to add domain to it to use that as destination. But what am I using as source? Need to add an other domain? I don’t get that entry point. Btw need to buy domains for sure right? @ingernet – Mark9966 Dec 11 '20 at 12:44
  • @Mark9966 I actually don't use IAP, was merely trying to decode those docs. But it sure sounds from [this GCE/IAP tutorial](https://cloud.google.com/iap/docs/tutorial-gce) that domains are a requirement. That said, if you have an existing domain, you could always head on over to the DNS manager interface for it and add a new A record for a subdomain in your DNS zone file - like, newsubdomain.mydomain.com. – ingernet Dec 15 '20 at 02:27