Compute Engine and IAP without load balancer

Question

I would like to put one Compute Engine instance behind IAP.

I have read the official literature that states that a load balancer needs to be created.

Since I only have one instance to protect, and no autoscaling (i.e there will always be an instance of one), the perspective of having to set-up a load balancer is not frankly exciting as that will incur costs that I would prefer to avoid.

I have tried implementing a lightweight version of the official guide by simply creating a new firewall rule with the following configuration:

And apply to my instance (target tag). I.E, in this config, there is no LB, nor MIG. But a valid SSL cert and domain.

This however, even while authenticated, does not allow me to access my instance.

My 2 questions:

• Why is a LB required?
• Is there a way to use IAP to protect one instance without LB, MIG etc.?

Thanks,

Answer 1

There is a few literature (or nothing) on the Google Cloud architecture. But by speaking and speaking with Google, you start to understand things.

In fact, IAP is a feature, a special config that you can deploy on Google Front End network element. That element is exposed to the internet. You can mainly configure a Load Balancer on it, and then activate features: IAP or Cloud Armors for instance.

Because of that, you must use a Load Balancer to interact with Google Front End and therefore use IAP on top of it.

If you extrapolate my explanation, you have to understand that Google Front End is an internet facing network element. And so, if you create an internal load balancer, i.e. not exposed to the internet, you can't deploy CLoud Armor or IAP on top on it.