Brief product summary

Google’s Identity-Aware Proxy (IAP) realizes part of the premise as set out in their original BeyondCorp paper. Part of the Google Cloud Platform bundle, Google’s IAP aims to improve an organization’s security posture through enforced access-control policies. The service eliminates the need for a VPN by providing access for cloud administrators and remote workers.

Google IAPPomerium
Context-aware gateway
Device identityYes, using Chrome Enterprise.Yes, with WebAuthn.
Supports any cloud or infrastructureOnly GCP is supported unless you want to configure site-to-site VPNs (yes, really).Deployed at edge wherever your apps and servers are.
Data tenancy & privacyExpansion of information boundary.You have full control over your data and information.
Continuous verification
Identity Provider SupportAny identity provider
Authorization PolicyOnly simple access rules are supported.Declarative policy and policy as code is supported.
TCP Protocol Support
LatencyGood. Google has a massive globally distributed network of edge servers. However, the additional hops still add latency, especially so if you are split between on-prem / or multi-cloud.Best. No additional latency or bandwidth costs are incurred. Pomerium is deployed directly where your apps and services actually live.
Open Source

Our Recommendation

IAP is a reverse proxy that receives first-class treatment and integration with GCP and other Google tools. You may consider using Google’s IAP if you are fully integrated with GCP and have no plans to ever deviate from Google’s ecosystem.

If you want to support a hybrid infrastructure or utilize other clouds (such as AWS or Azure) you will want to use Pomerium to avoid bandwidth and latency costs.

Use Cases

  • Who are you and what do you want? — Google IAP provides authentication and access control for web applications and cloud resources.


  • Two paths well traveled — Like Pomerium, Google IAP supports both HTTP and TCP based services like SSH and RDP.
  • All in the family — Being a Google product, IAP is easy to integrate with other Google Cloud Platform services and tools. In fact, if you are already fully vendor-locked and have no plans to stray from the GCP ecosystem in the future, IAP may be a good solution.
  • All on the tin — Being the origin of the BeyondCorp papers, Google’s IAP is designed to fulfill most of those tenets.


  • Wizard required — Additional configuration and maintenance is required to use IAP with multi-cloud apps.
  • All that for a VPN tunnel? — To support other clouds (such as Azure or AWS) or on-prem infrastructure, you will need to subject your infrastructure to a VPN to make IAP work. This makes you backhaul data with a site-to-site VPN.
  • Not deployed at edge — Depending on your architecture, you may incur hidden latency and bandwidth costs when using Google’s IAP to secure applications and services not in the GCP ecosystem.
  • Poor authorization logic — Google IAP is limited to very simple access policies.

Sign up to be notified of new features and product updates

Try Enterprise