IAP connector not routing request to on-prem. "No healthy upstream"

621 Views Asked by At

I'm trying to setup Identity Aware Proxy for my backend services parts of which resides in GCP and other on on-prem,according to the instruction given in the following link Enabling IAP for on-premises apps and Overview of IAP for on-premises apps

After, following the guide I ended up in a partial state where services running on GCP serving at https endpoint is perfectly accessible via IAP. However, the app which is running on on-prem is not reachable through pods* and external loadbalancer*.

Current Architecture followed:

enter image description here

Steps Followed

On GCP project

  • Created a VPC network in any region with one subnet in my case (asia-southeast1)

  • Used IAP connector https://github.com/GoogleCloudPlatform/iap-connector

  • Configured the mapping for 2 domains.

    For app in GCP

  • source: gcp.domain.com

  • destination: app1.domain.com (serving at https endpoint)

    For app in on-prem(Another GCP project)

  • source: onprem.domain.com

  • destination: app2.domain.com (serving at https endpoint but not exposed to internet)

  • Configured VPN Tunnel between both the project so the network gets peered

  • Enabled IAP for the loadbalancer which is created by the deployment.

  • Added corresponding accounts to allow access to the services with IAP web-user role.

On-prem

  • Created VPC network in a region with one subnet (asia-southeast1)

  • Created VM on VPC in that region

  • Assigned that VM to an instance group

  • Created Internal Https loadbalancer and chose instance group as backend

  • Secured load balancer http with ssl

  • Setup VPN tunnel to the first project

What I have tried?

  • logged in to pods and pinged different pods. All pods were reachable.
  • logged in to nodes and pinged the remote VM on port 80 and 443 both are reachable.
  • pinged remote VM from inside the pods. Not reachable.

Expected Behaviour:

  • User requests to loadbalancer on the app1.domain.com which IAP authenticates and authorizes user with OAuth and grant access to the webapp.
  • User requests to loadbalancer on the app2.domain.com which IAP authenticates and authorizes user with OAuth and grant access to the webapp running on on-prem.

Actual Behaviour

  • Request to the app1.domain.com prompts OAuth screen after authenticating the website is returned to the user.
  • Request to the app2.domain.com prompts OAuth screen after authenticating the browser returns 503 - "No healthy upstream"

Note:

  • I am using a separate GCP project to simulate on-premise.
  • Both projects are peered via VPN tunnel.
  • Both peering projects have subnets in the same region.
  • I have used internal https loadbalancer in my on-prem project to make my VM visible in my host project so that the external loadbalancer can route request to the VM's https endpoint.

** I'm suspecting that if pod could able to reach the remote VM the problem might as well be resolved. It's just a wild guess.

Thank you so much guys. I'm looking forward for your responses.

0

There are 0 best solutions below