Skip to content
hands-on lab

Creating a Central Authorization Layer using Cloud IAP

Intermediate
Up to 45m
91
5/5
Start lab
Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.
Learn and validateUse validations to check your solutions every step of the way.
See resultsTrack your knowledge and monitor your progress.
Lab description

In this lab, you will be securing your application using Cloud Identity Aware Proxy. You will first create a simple Python application that you will deploy on the App Engine and then you will enable Cloud IAP to create a Central Authorization Layer.

What is Cloud Identity-Aware Proxy?

Cloud IAP establishes a central authorization layer for an application accessed on a browser. IAP has resolved problems like direct endpoint access. To avoid such cases, IAP is used. When users try to access the endpoint URL, a prompt will appear for Google Sign In, if you are in the allowed member list, you will be able to access otherwise you will get an access denied error.

It is done at the application layer. If your application is on-premise, IAP Connector can be used.

Drawbacks

  • Internal traffic inside VM/GAE/GKE can bypass IAP.
  • If you are using a third-party CDN, cached content might be served to unauthorized users.

Learning Objectives

Upon completion of this lab you will be able to:

  • Secure your applications by allowing URL access only for trusted members.
  • Providing application-level security instead of network-level security.
  • Authenticate and authorize application users with OAuth.

Intended Audience

This lab is intended for:

  • Software Developers
  • Network Engineers
  • Security Engineers

Prerequisites

You should possess:

  • A basic understanding of HTML, CSS, and Python

Updates

March 10th, 2023 - Updated the command for outputting the URL for the web application

Environment before
Environment after
About the author
Avatar
Logan Rakai, opens in a new tab
Lead Content Developer - Labs
Students
216,335
Labs
223
Courses
9
Learning paths
56

Logan has been involved in software development and research since 2007 and has been in the cloud since 2012. He is an AWS Certified DevOps Engineer - Professional, AWS Certified Solutions Architect - Professional, Microsoft Certified Azure Solutions Architect Expert, MCSE: Cloud Platform and Infrastructure, Google Cloud Certified Associate Cloud Engineer, Certified Kubernetes Security Specialist (CKS), Certified Kubernetes Administrator (CKA), Certified Kubernetes Application Developer (CKAD), and Certified OpenStack Administrator (COA). He earned his Ph.D. studying design automation and enjoys all things tech.

LinkedIn, Twitter, GitHub

Covered topics
Serverless
Identity and Access Management
Networking
Development
Security
Compute
Google Cloud Platform
Networking for Google
Security for Google
Compute for Google
Development for Google
Cloud Identity-Aware Proxy
App Engine
Lab steps
Signing In to the Google Cloud Console
Creating a Client Application for Google Authentication
Creating and Deploying the Web Application to the App Engine
Configuring the Cloud IAP and Testing the Application