Objectives
In this tutorial, you'll learn about the following:
- Creating a Compute Engine instance template and managed instance group (MIG).
- Getting a domain name and certificate.
- Creating an HTTPS load balancer with a certificate.
- Enabling IAP.
- Testing that IAP is working.
Costs
This tutorial uses billable components of Google Cloud, including:
- Compute Engine
- 4 Virtual Machines (VM)
 
- Networking
- Global Load Balancer Forwarding Rule
- Ingress Traffic
 
For an estimate of cost based on projected usage, see this Pricing Calculator.
Before you begin
Before you start this tutorial, you'll need the following:
- Select or create a Google Cloud project. 
 GO TO THE PROJECTS PAGE
- Enable billing for your project. Read about how to Modify a project's billing settings 
Step 1: Create a Compute Engine template
In the Google Cloud console, go to the Compute Engine > Create an instance template page and select the project in which you want to create a template.
GO TO THE CREATE AN INSTANCE TEMPLATE PAGE
Use the default values except for the following:
- Machine type:
- micro (f1-micro)
 
- Access scopes:
- Set access for each API
- Compute Engine: Read Only
 
- Firewall:
- Allow HTTP traffic
 
- In the Management section, under Automation > Startup script, copy and paste the following script:
When you're finished updating values, click Create to create the template.
Step 2: Create a Managed Instance Group
In the Google Cloud console, go to the Compute Engine > Create a new instance group page and select the project in which you want to create a Managed Instance Group.
GO TO THE CREATE AN INSTANCE GROUP PAGE
Use the default values except for the following:
- Name: my-managed-instance-group
- Location: Multi-zone
- Instance template: Select the instance template you created in Step 1
- Number of instances: To change the number of instances, you must first turn off autoscaling.
- Autoscaling mode: Don't autoscale
- Health check: select Create a health check, then enter the following values: - Name: my-health-check
- Protocol: HTTP
 - Use your new health check by clicking Save and continue. 
When you're finished updating values, click Create to create the Managed Instance Group (MIG).
Step 3: Get a domain name and certificate
To use the Load Balancer with HTTPS traffic, you'll need a domain name and a signed certificate. You can register a domain on Google Domains, or use the domain registrar of your choice. Register your domain before you continue this guide.
Set up your certificate
Create a certificate that identifies your website to your users. For information about how to create a certificate, see Using Google-managed SSL certificates.
Your CA has to verify that you own the domain name you registered. In the steps below, you'll create a VM to authenticate your domain with the CA.
Create a VM to authenticate your domain ownership
In the Google Cloud console, go to the Compute Engine > Create an instance page.
GO TO THE CREATE AN INSTANCE PAGE
Use the default values except for the following:
- Name: certbot-vm
- Machine type: micro (f1-micro)
- Access scopes:
- Set access for each API
- Compute Engine: Read/Write
 
- Boot disk image:
- Debian GNU/Linux 9 (stretch)
 
- Firewall:
- Allow HTTP traffic
- Allow HTTPS traffic
 
When you're finished updating values, click Create to create the VM instance. Note the External IP address of the VM you just created. You'll need it in the next step.
Set up your domain to point to the VM
To set up your domain to point to the VM, follow the steps below to configure A records:
- Sign in to your domain's account at your domain host.
- Find the page to update your domain's DNS records. This page might be called something like "DNS Management," "Name Server Management," or "Advanced Settings."
- Change your A records to the following values:
- Name/Host/Alias: @
- Value: the External IP address of the VM you created to authenticate your domain ownership above.
- TTL: the default for your registrar, or 86400 (one day).
 
- Wait for the DNS record to update. It can take up to one day for the record you added to propagate.
To learn more, see About A records.
Test your server
To test that your server is working correctly, follow the steps below:
- In the Google Cloud console, go to the Compute Engine > VM Instances page. 
 GO TO THE VM INSTANCES PAGE
- Under Connect for certbot-vm, click SSH. 
- Run the following commands to run a small web server on your VM: - mkdir web cd web echo "Hello" > index.html sudo busybox httpd -v -f
- In a web browser, go to the domain name you registered earlier. Your web browser should display - Hello, and your SSH session should display a message that contains- ... response:200. If not, wait a few minutes, then repeat this step.
- After the test is successful, press Ctrl+C to stop the web server. 
Create a certificate
To create a certificate, register with Let's Encrypt by running the following commands on the VM where YOUR_DOMAIN is your domain name, not including protocol:
sudo pkill busybox sudo apt-get install -y certbot sudo certbot certonly --standalone -d YOUR-DOMAIN
During this process, Let's Encrypt may request an email address so it can send a reminder when your certificate is going to expire (by default, 3 months after it's issued). You must also agree to the Terms of Service set by Let's Encrypt.
When you're successfully registered, you should see a message that reads
Congratulations! Your certificate and chain have been saved at...
Add the certificate to your project
To add the certificate to your project, run the following commands on the VM:
sudo su cd /etc/letsencrypt/live/YOUR_DOMAIN gcloud compute ssl-certificates create my-cert --certificate=fullchain.pem --private-key=privkey.pem
After you've successfully created your certificate, you should see a message
that's similar to: Created
[https://www.googleapis.com/compute/v1/projects/example-project/global/sslCertificates/my-cert]
Before you continue, close the SSH session.
Step 4: Create a load balancer
Before you start this step, make sure you closed the SSH session you started in the previous step. When you're ready, follow the steps below to create a load balancer:
- In the Google Cloud console, go to the Network Services > Create a load balancer page and select the project for which you want to create a load balancer. 
 GO TO THE CREATE A LOAD BALANCER PAGE
- Under HTTP(S) Load Balancing, click Start configuration. 
- Select From Internet to my VMs. 
- On the New external Application Load Balancer page that appears, enter a Name for your load balancer. 
- Click Backend configuration. 
- Under Backend services & backend buckets, select Create a backend service. 
- Add a name for your backend service, such as - my-backend-service.
 
- Go to the Security section, and then select Enable IAP to secure access to your applications. - Cloud CDN and IAP are not compatible. If you have Cloud CDN enabled and you select to enable IAP, Cloud CDN is automatically disabled. 
- Click Create. The Load balancing page appears and your new load balancer will be created in the list of load balancers. 
- After the Google Cloud console finishes creating the new load balancer, click the name of the load balancer and note the external IP address under Details > Frontend. You will need it in the next step. 
Set up your domain to point to the load balancer
To set up your domain to point to the load balancer, configure A records by following the steps below:
- Sign in to your domain's account at your domain host.
- Find the page to update your domain's DNS records. This page might be called something like "DNS Management," "Name Server Management," or "Advanced Settings."
- Change your A records to the following values:
- Name/Host/Alias: @
- Value: the external IP address of the load balancer you created
above. Don't include the port :443in your DNS record.
- TTL: the default for your registrar, or 86400 (one day).
 
- Wait for the DNS record to update. It can take up to a day for the record you just added to propagate.
- To test the load balancer, use a web browser to go to your domain with an
 https://protocol.- If the load balancer isn't set up yet, you'll see "HTTP 502" errors.
- When the load balancer is ready, you'll see "Unauthorized request."
 
To learn more, see About A records.
Restart your VMs
To correctly authenticate requests from IAP, you must restart the VMs in your MIG by following the steps below:
- In the Google Cloud console, go to the
 Compute Engine > Instance groups page.
 
 GO TO THE INSTANCE GROUPS PAGE
- Click my-managed-instance-group.
- On the top of the instance group details that appear, click Rolling Restart/Replace.
- On the Restart/replace instances of my-managed-instance-group page that
 appears, set the following values:
- Operation: Restart
- Maximum unavailable: 3 instances out of 3 instances
- Minimum wait time: 0 s
 
- When you're finished updating values, click Restart.
Step 5: Set up IAP
Configure your firewall
Next, you'll configure your firewall to block access to the underlying VMs and only allow access through IAP:
- Go to the Google Cloud console
 VPC network > Firewall rules.
 
 GO TO THE FIREWALL RULES PAGE
- Select the checkbox next to the following rules:
- default-allow-http
- default-allow-https
- default-allow-internal
 
- Click Delete.
- Click Create firewall rule and set the following values:
- Name: allow-iap-traffic
- Targets: All instances in the network
- Source IP ranges (press Enter after you paste each value
in the box). The IP ranges are allowlisted because it is a prerequisite
for load balancer communication to backends.
- 130.211.0.0/22
- 35.191.0.0/16
 
- Protocols and ports:
- Specified protocols and ports
- tcp:80
 
 
- When you're finished updating values, click Create.
Set up IAP
To set up IAP for your project, follow the steps below:
- In the Google Cloud console, go to the
 Security > Identity-Aware Proxy
 page and select the project for which you want to enable IAP.
 
 GO TO THE IDENTITY-AWARE PROXY PAGE
- If you haven't configured your project's OAuth consent screen, you'll be prompted to do so: - 
    Go to the OAuth consent screen.
    
 Configure consent screen
- Under Support email, select the email address you want to display as a public contact. The email address must belong to the currently logged in user account or to a Google Group for which the currently logged in user is a manager or owner.
- Enter the Application name you want to display.
- Add any optional details you'd like.
- Click Save.
 - To change information on the OAuth consent screen later, such as the product name or email address, repeat the preceding steps to configure the consent screen. 
- 
    Go to the OAuth consent screen.
    
- Next to my-backend-service, 
- In the Turn on IAP window that appears, select the checkbox next to "I have read the configuration requirements and configured my Compute Engine resource according to documentation." 
- Click Turn on. 
Add principals to the access list
Next, you'll add principals to the IAP access list for your project.
- On the IAM & admin > Identity-Aware Proxy right side Access section, click Add.
- Enter the principals you'd like to give access to, including yourself, and
 assign the principals the IAP-secured Web App User role. Principals can be:
- Google Accounts: user@gmail.com
- Google Groups: admins@googlegroups.com
- Service accounts: server@example.gserviceaccount.com
- Google Workspace domains: example.com
 
Step 6: Test IAP
To test that IAP is working correctly, follow the steps below:
- In your web browser, navigate to your domain.
- If you see "Unauthorized request", try again in a few minutes.
 
- When you see a Google sign-in screen, sign in using the Google Account you gave access to in the previous step.
- You should see a message like "Hi, user@example.com. I am my-managed-instance-group-29z6."
- Try refreshing the page. Your browser should show the names of the 3 machines in your managed instance group. This is the load balancer distributing traffic across the VMs in the group.
Congratulations! You've successfully enabled a load-balanced service using IAP.
Clean up
To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources.
After you've finished setting up IAP for Compute Engine, you can clean up the resources you created on Google Cloud so you won't be billed for them in the future. The following sections describe how to delete or turn off these resources.
Deleting the project
The easiest way to eliminate billing is to delete the project that you created for the tutorial.
To delete the project:
- In the Google Cloud console, go to the Manage resources page.
- In the project list, select the project that you want to delete, and then click Delete.
- In the dialog, type the project ID, and then click Shut down to delete the project.
Deleting instances
To delete a Compute Engine instance:
- In the Google Cloud console, go to the VM instances page.
- Select the checkbox for the instance that you want to delete.
- To delete the instance, click More actions, click Delete, and then follow the instructions.
Deleting firewall rules for the default network
To delete a firewall rule:
- In the Google Cloud console, go to the Firewall page.
- Select the checkbox for the firewall rule that you want to delete.
- To delete the firewall rule, click Delete.
What's next
- Try modifying the example app we used in this tutorial to serve other data.
- Read the Best Practices to understand how to write your own apps and secure them with IAP.