1. Home
  2. Training Library
  3. Google Cloud Platform
  4. Courses
  5. Identity and Context-Aware Access Control



Identity and Context-Aware Access Control
Zero Trust Security
3m 25s
14m 39s
1m 40s
Start course

This course explores Zero Trust and how it can be implemented using BeyondCorp Enterprise. We also look at securing resources and applying access levels. 

Learning Objectives

  • Explaining the Zero Trust Security Model
  • Implementing Zero Trust using BeyondCorp Enterprise
  • Securing resources with an Identity-Aware Proxy
  • Extending security by creating and applying access levels

Intended Audience 

  • GCP Developers
  • GCP Security Engineers


  • Access to a GCP account

In this lesson, I am going to show you how to do two things:

  1. I will demonstrate how to securely connect to a Virtual Machine using the Identity-Aware Proxy

  2. I will also show you how to create and apply access level restrictions based around region and IP address

I have already spun up the Virtual Machine, so let me show you that first.   Now this instance is called “private-vm1”.  It is important to note: it has been assigned an Internal IP address but not an External one.  So you can think of it as representing something like an application or database server.  Just any internal server that is not directly accessible from the internet.

Now there will be times where a developer or QA engineer is going to need to SSH to this machine.  Maybe they want to view the logs or debug a problem.  Typically, you could not directly connect to this machine from outside the VPC.  However, here you can see that I actually can SSH to this machine even though I am not logged into a VPN.  Currently my laptop is simply connected to the general internet and the only thing I have done is logged into the GCP console.  How exactly am I able to resolve an internal IP address running in a private Google network?  Well, we can find out the answer if we look at the gcloud command.

Here you can see that this command is automatically using a tunnel provided by the Identity Aware Proxy.  Now this is because of the account I am currently logged in to.  It has owner level access to this project.  Now, having owner level access is generally bad practice.  An owner has access to everything.  Now because my project is just used for demonstration purposes and no production systems, it’s not actually a real problem.  But generally, you will not have owner level access and you won’t want it, either.  Owner-lever permission is dangerous.  If it ever fell into the wrong hands, a lot of damage could be done.  Even in the right hands, you could accidentally do something very bad.

Let’s make this a much more realistic scenario.  I also want to be able to demonstrate how to set up the IAP.  So, I have created another user account with minimal permissions.  Here, you can see my “owner” account.  And here is the new “demo user” account that I created.  So now if I try to SSH from my demo account, we will see I get an error message.  There is no external IP address and since IAP has not been enabled for this user, there is no route to the VM.  

Now since this machine does not have an external IP address, traditionally what you would do is establish a VPN connection to the internal network.  You could also do something else like maybe set up a Bastion host.  But I want to be able to directly connect to the machine without needing any extra steps or hops.  Let me show you how to do that using IAP.

The tools to accomplish this can be found by searching for “BeyondCorp Enterprise”.  BeyondCorp covers several different features, so when you go to this page, you won’t actually be able to change anything.  Instead this is primarily used to provide information, tutorials, and links to other pages.  If you are interested in upgrading to the Premium features, you can click here to see the list of differences.  And if you want to go ahead and pay for the upgrade, here is a link to help you sign up.

Now if I scroll down a little you will see there are also a number of tutorials.  The tutorials are broken up into two main sections.  The first is dedicated to securing your resources with IAP.  And the second section is about creating and applying access levels.  In this demo I am going to run through both.  However, I am not going to cover securing web apps.  Nor am I going to cover filtering by device attributes.  If you are interested in either of these, you can run through the tutorials here.

First, I am going to show you how to secure SSH access to a VM.  In order to do that, I need to click on the “Identity-Aware Proxy” option in the side menu here.  The API for this feature is not enabled by default, so I need to enable it.  

Now on this screen, I can choose between securing HTTPS resources or SSH and TCP resources.  You can see for HTTPS resources you need to configure a consent screen.  This would include things running behind an HTTPS load balancer like a website.  Luckily I don’t need to do that for this example.  I just need to click on the SSH tab.

Once you click on the tab you will see all the available resources.  I just have this single VM.  Notice there is a warning message.  Before I proceed, I should probably try to fix that.  The problem appears to be that I need to add a firewall rule to explicitly allow IAP to connect to the VM.  Now IAP can’t work if the firewall is blocking it, so let me show you how to create the appropriate rule.

First, I need to click on “Edit Firewall”.  And notice the link took me directly to the appropriate ruleset.  So now I can just click on “Create Firewall Rule”, and enter the appropriate information.  I am going to call this rule “default-allow-iap”.  And it looks like the correct network is already selected, so I don’t need to change that.  I’m also going to leave the priority alone since that looks fine.  I do need to select a target.  In this case, I’m going to pick “All instances in the network” so this rule will cover all VMs.  If I only wanted this to work for certain VMs, I would either need to filter by IP range or by tag.  And now I just need to pick the source filters.  Luckily, I was given the information on the previous page so I can copy and paste the IP range here.  And it said IAP was going to use the TCP protocol, so I can enable that here.  And that it is.  So this new firewall rule will ensure that the IAP service can reach the VM.

Let me refresh the page and verify that it worked.  Ok, it looks like it did.  Remember before you can start using IAP, you will probably need to enable the API and add a firewall rule.

So now, I can pick the resources I want to share with IAP and look at the current settings.  Here you can see that there are currently two accounts already set up to use IAP to connect to this VM.  Now this first one is my main account.  This is why I was already able to connect via SSH.  Owner accounts automatically inherit the IAP permission.

So that is great for owners, but what about for all the other accounts?  If I want to add my “demo user” account here it is really very simple.  I have to click on “Add Principal”, paste in the email for that account, and then pick an appropriate role.  Now I have a few options available.  I could make my “demo user” an owner, but that would be giving way too many permissions for just using IAP.  Instead, a more appropriate option would be this “IAP-secured Tunnel User”.  Now that gives me just enough permission to use IAP and nothing else.

So when I click “Save” my “demo user” account will be able to connect to the VM using a tunnel provided by the Identity-Aware Proxy.  So you can see I have three users now who should be able to connect.  The two owner accounts, and my new “demo user” account.  Let’s verify that the “demo user” account works.

Now I have noticed that simply refreshing the page does not seem to be enough.  I need to actually leave the Compute Engine screen and then come back.  And now you see that I can click on the SSH button.  And here you see it does indeed connect.

So using IAP to grant secure access to internal resources is actually very simple.  I think it’s much easier and faster than trying to configure a VPN.  Now you know how to use IAP, but there is one more thing I want to show you.  Let’s next look at creating some access level restrictions.  These will allow you to further lock access down and make things even more secure.

So to do that, I am going to click on “Access Context Manager” in the side menu here.  Policies are not managed on a project level, so I have to switch to the organization level.  And now I can start creating new access policies.  The first step is to click on the “New” button here at the top.  And now you can see that I can start adding extra filters.  I can block access from certain IP ranges or regions.  I can also block access based on devices used or other things as well.

Let’s say all employees physically reside in Switzerland.  And therefore I want to block access to the IAP for anyone connecting from any other country.  I can do that by picking Switzerland here.  I can also pick more countries as well.  Let’s say one of my employees was going to travel to Japan and I needed to allow access from there as well.  I can easily add Japan this way.  So using this option you can add or block as many countries as you want.  And you can also use this switch here to toggle between using a white list or a black list.

Now you are not just limited to regions.  You can also block or allow access by IP address range.  If you wanted to do something like say, people have to connect from the IP range, I can do that.  And of course I can add more ranges if I want.  

So now in this case, an employee would need to be connecting from either Switzerland or Japan and they would also need to have an IP address in one of these two ranges.  This seems a bit overkill, so I am going to go ahead and drop the IP restrictions for this demo and we will just leave the country restrictions.  But you can see that you can make things really open or really restrictive, whatever you need.

So to save this, I got to give it a name.  And now that I have created it, I need to actually apply it to see it working.  So let me go back to IAP.  I’ll open up the settings for “private-vm1” and then I’ll click the edit button on my “demo user” here.  To apply this access level, I have to click on the “Add condition” button here.  And then I need to select a condition type of “Access level”.  And now I can pick the new access level that I previously created.

So this is going to allow my “demo user” to connect to this VM but only as long and the user is connecting from an allowed region.  If I wanted to, I could enforce multiple access levels by using this option.  So now it’s time to save this.  I need to give it a name and click “Save”.  And then I need to click “save” again.

So let’s go ahead and verify that this “country-rule” condition is being applied. Now since I am currently not in either Switzerland or Japan, this should effectively block my access.  Now you can see that I can still click on the button, but it does block me because I am currently in the United States.

That is how you can protect your GCP resources using the Identity-Aware Proxy.  I just showed you how to protect a virtual machine, but you can protect other resources as well.  And if you upgrade to Enterprise, those resources can even be hosted outside of GCP.  

I also showed you how to add access level restrictions.  You can block access by IP address or region, and you can block by browser type or device type.  There are a whole range of options available, so you should spend some time exploring on your own.

About the Author
Learning Paths

Daniel began his career as a Software Engineer, focusing mostly on web and mobile development. After twenty years of dealing with insufficient training and fragmented documentation, he decided to use his extensive experience to help the next generation of engineers.

Daniel has spent his most recent years designing and running technical classes for both Amazon and Microsoft. Today at Cloud Academy, he is working on building out an extensive Google Cloud training library.

When he isn’t working or tinkering in his home lab, Daniel enjoys BBQing, target shooting, and watching classic movies.