Our Recommendation
IAP is a reverse proxy that receives first-class treatment and integration with GCP and other Google tools. You may consider using Google’s IAP if you are fully integrated with GCP and have no plans to ever deviate from Google’s ecosystem.
If you want to support a hybrid infrastructure or utilize other clouds (such as AWS or Azure) you will want to use Pomerium to avoid bandwidth and latency costs.
Use Cases
- Who are you and what do you want? — Google IAP provides authentication and access control for web applications and cloud resources.
Strengths
- Two paths well traveled — Like Pomerium, Google IAP supports both HTTP and TCP based services like SSH and RDP.
- All in the family — Being a Google product, IAP is easy to integrate with other Google Cloud Platform services and tools. In fact, if you are already fully vendor-locked and have no plans to stray from the GCP ecosystem in the future, IAP may be a good solution.
- All on the tin — Being the origin of the BeyondCorp papers, Google’s IAP is designed to fulfill most of those tenets.
Weaknesses
- Wizard required — Additional configuration and maintenance is required to use IAP with multi-cloud apps.
- All that for a VPN tunnel? — To support other clouds (such as Azure or AWS) or on-prem infrastructure, you will need to subject your infrastructure to a VPN to make IAP work. This makes you backhaul data with a site-to-site VPN.
- Not deployed at edge — Depending on your architecture, you may incur hidden latency and bandwidth costs when using Google’s IAP to secure applications and services not in the GCP ecosystem.
- Poor authorization logic — Google IAP is limited to very simple access policies.