Problem of setting IAP connector fro on-premise apps

Question

M'm trying to use this guide to protect my on-premise app with google identity aware proxy.

I have an on-premise web-app, which is simulated on a gcp VM that is accessible through {public_ip}/scada. What i need to achieve is to enable IAP to protect it.

As long as i have to deploy and configure the IAP connector i need to specify source and destination, as referred in the link and image.

What i don't get so far i what to put as source (entry point on the iap connector) and destination (here maybe need to buy a domain and link the public ip of the VM).

What can i do to configure the source? need to buy an other domain and reserver a static ip to use?

Thanks for helping.

iap connector config

Answer 1

Per the docs you referenced above:

routing.mapping.source : The URL of requests coming to Google Cloud. This URL is where traffic enters the environment.

routing.mapping.destination: The URL for the on-premises app to which IAP routes traffic after a user has been authorized and authenticated. IAP routes traffic to this URL using TLS and the application hosted there is required to provide an HTTPS endpoint.

That doc links to an additional help file which may be, well, helpful: https://cloud.google.com/iap/docs/cloud-iap-for-on-prem-apps-overview#routing_rules

It has an example that shows actual FQDNs rather than IP addresses. It sounds like you're thinking about this from a purely IP routing standpoint, rather than a business standpoint (e.g. "we want all traffic that's going to www.mydomain.com to just go to mydomain.com").