Implementing BeyondCorp Zero Trust Access Model

When to Use

• When replacing traditional VPN infrastructure with identity-based application access
• When migrating to Google Cloud and requiring zero trust access for internal applications
• When implementing device trust verification as a prerequisite for resource access
• When needing context-aware access policies based on user identity, device posture, and location
• When securing access for remote and hybrid workforce without network-level trust

Do not use when applications require raw network-level access (e.g., UDP-based protocols not supported by IAP), for consumer-facing public applications, or when the organization lacks an identity provider with MFA capabilities.

Prerequisites

• Google Cloud organization with Cloud Identity or Google Workspace
• Identity-Aware Proxy (IAP) API enabled on the GCP project
• Chrome Enterprise Premium license for endpoint verification
• Applications deployed behind a Google Cloud Load Balancer or on App Engine/Cloud Run
• Endpoint Verification extension deployed on all corporate devices