Notification

Duet AI is now Gemini for Google Workspace. Learn more

Deploy private web apps

Private web applications are created for an organization's internal users, such as employees and contractors. You can deploy these apps using Chrome Enterprise Premium in the Google Admin console.

Add the app to your Google Workspace account

Private apps can be hosted on Google Cloud, another cloud provider, or an on-premises data center.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenWeb and mobile apps.

  3. Click Add appand thenAdd private web app.
  4. Under Application Details, enter an app name and URL where users access the app.
  5. Specify where your application is hosted:
  6. Click Add application.

Settings for apps hosted on Google Cloud

Create a Private Service Connect (PSC) URL to connect the private apps in your environment.

To set up the PSC URL, create an internal load balancer, and then create a service attachment that uses an internal IP address. 

Create an Internal Load Balancer

Private apps in Google Workspace should be published behind an internal load balancer with global access enabled. For details, see Publish a service with automatic approval.

Create an Internal Load Balancer for Compute or GKE resource

Before you begin: To allow secure HTTPS communication, set up an instance group configured to serve requests on port 443. The instance group will be selected in the Backend configuration tab.

  1. In the Google Cloud console, go to the Load balancing page.
  2. Click Create Load Balancer.
  3. Click Start Configuration for Network Load Balancer (TCP/SSL) and select the following:
    1. Type of load balancer—Network Load Balancer (TCP/UDP/SSL).
    2. Proxy or Passthrough—Passthrough.
    3. Internet facing or Internal only—Internal.
    4. Click Next.
    5. Click Continue.
  4. Enter the load balancer name, and select the region and network where you will deploy the load balancer.
    Important: The network you choose for the load balancer must be the same network used by your instance group.
  5. Select the Backend configuration tab.
    1. Protocol—Select TCP
    2. IP stack type—Select IPv4
    3. Select an instance group.
      To create one, go to Instance groups.
    4. Select a health check from the list.  To create a new health step:
      1. Select Create health check.
      2. Enter a name for your health check (for example: ping-port).
      3. Select regional scope.
      4. For the protocol, choose HTTPS.
      5. Keep port as 443.
      6. For Proxy protocol, select NONE.
      7. For Request path leave "/".
      8. Enable logs.
      9. Keep the default values for the health criteria.
  6. Select the Frontend configuration tab
    1. (Optional) Enter a name for the frontend.
    2. For IP version, select IPv4.
    3. Select a subnetwork.
    4. For internal IP purpose, select Non-shared.
    5. For ports, select Single.
    6. Enter port number 443.
    7. For Global access, select Enable.
  7. Select the Review and finalize tab to review your load balancer configuration settings.
  8. Click Create.

Create an Internal Load Balancer for Cloud Run resource

  1. In the Google Cloud console, go to the Load balancing page.
  2. Click Create Load Balancer.
  3. Click Start Configuration for application load balancer (HTTP/S) and select the following.
    1. Type of load balancer—Application Load Balancer (HTTP/HTTPS).
    2. Internet facing or internal only—internal.
    3. Cross-region or single region deployment—single region.
    4. Click Next.
    5. Click Configure.
  4. Enter the load balancer name and select the region and network where the load balancer will be deployed.
  5. Select the Backend configuration tab.
    1. Create or select the backend service.
    2. If creating a service, select the Backend type Serverless Network Endpoint Group and select a network endpoint group.
    3. If you don’t have a Serverless Network Endpoint, select the option to create a new one.
      Before creating the Serverless Network Endpoint Group, create a Cloud Run service that the endpoint group will point to.
  6. Select the Frontend configuration tab
    1. Protocol—Select HTTPS.
    2. Select the subnetwork.
    3. Complete the onscreen steps to reserve a subnet if you haven't done so already.
    4. Enable global access.
    5. For the certificate, you can select to create a new one or choose an existing certificate.
  7. Click Create.

Create the Service Attachment URL

To set up the PSC URL, create a service attachment that uses an internal IP address.

  1. In the Google Cloud console, go to the Private Service Connect page.
  2. Click the Publish service tab.
  3. Click Publish service.
  4. Select the Load balancer type for the service that you want to publish:
    • Internal passthrough Network Load Balancer
    • Regional internal proxy Network Load Balancer
    • Regional internal Application Load Balancer
  5. Select the Internal load balancer that hosts the service that you want to publish.
    The network and region fields are populated with the details for the selected internal load balancer.
  6. For Service name, enter a name for the service attachment.
  7. Select one or more Subnets for the service. If you want to add a new subnet, you can create one:
    • Click Reserve new subnet.
    • Enter a Name and optional Description for the subnet.
    • Select a Region for the subnet.
    • Enter the IP range to use for the subnet and click Add.
  8. For Connection preference, select Automatically accept all connections.
  9. Click Add service.
  10. Click the published service. Use the service attachment name in the Service attachment field to create the URL:
    https://www.googleapis.com/compute/v1/SERVICE_ATTACHMENT_NAME
  11. Enter the URL when adding your private app in Google Workspace. See Add the app to your Workspace account.

Settings for apps hosted on other cloud providers or on-prem data centers

To securely connect your cloud or on-prem network to the Google cloud, add an app connector.

App connectors allow you to securely connect your application from other clouds to Google without a site-to-site VPN. 

Create a VM on the non-Google network 

You must install each app connector remote agent on a dedicated virtual machine (VM) or on any Bare Metal server in the non-Google environment. 

  • To create the VM, ask your network administrator for assistance or follow the instructions provided by your cloud provider.
  • To run the remote agent, use Docker on each VM or server. 
  • Ensure that the network firewall for the remote agent VM allows all outbound traffic initiated at port 443 for the IAP-TCP IP range 35.235.240.0/20. See Verify the firewall configuration for other domains that the firewall for the remote agent VM should allow outbound traffic to.

Add an app connector and install the remote agent

  1. Add an app connector:
    1. Sign in to your Google Admin console.

      Sign in using your administrator account (does not end in @gmail.com).

    2. In the Admin console, go to Menu and then Appsand thenWeb and mobile apps.

    3. Click the BeyondCorp Enterprise (BCE) Connectors tab.
    4. Click Add connector.
    5. Enter a name for the connector. For example: connect-myapp.
    6. Select a region close to the non-Google environment.
    7. Click Add connector.
    8. To view the status, on the top right, click and thenYour tasks.
  2. Create a VM instance to host the remote agent.
    Follow the instructions provided by your network administrator or cloud provider. See Create a VM on the non-Google network.
  3. Install a remote agent.
    1. Click the app connector name.
    2. Click Install remote agent.
    3. On the non-Google environment, install the remote agent:
      • Create a virtual machine (VM) instance to host the remote agent. Follow the instructions provided by your network administrator or cloud provider.
      • Install Docker, which is required to run the remote agent. For instructions, see the online documentation to install Docker Engine.
      • Install and enroll the remote agent using the CLI commands displayed in the Google Workspace app connector page.
      • Copy and paste the public key that is displayed after the remote agent is successfully enrolled. 
    4. Click Save.

The app connector page should show that a public key was successfully added.

Restrict access and authentication

The admin who created the app can decide under what conditions a user should be able to access the app. For example, you can limit access to users from a specific domain or only allow access during certain times or days. If access is denied, the user is redirected to a specific page.
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenWeb and mobile apps.

  3. Click the Apps tab and then click an app to open the details page.
  4. Click Advanced settings.
  • 403 landing page—Enter the web address where users will be redirected if they are denied access to the app. Use the format https://<url>.
  • Authentication domain—Enter the single sign-on (SSO) URL for your organization to allow users to login using their organization credentials. This also denies access to users who do not have valid credentials for your Google Workspace domain. Use the format sso.your.org.com
  • Allowed domains—Check the Enable allowed domains box to restrict user access to only the specified domains. Separate entries with a comma.  For example: test.your.org.com, prod.your.org.com.
  • Reauthentication—Use these options to require users to reauthenticate after a period of time.  For example, you can, a touch security key or 2-step verification.
    • Login: Require users to reauthenticate with a username/password after being logged in for the specified amount of time.
    • Secure key: Require users to reauthenticate using their security-key.
    • Enrolled second factors: Require users to reauthenticate using a second factor authentication (2FA) method.

For more information, see IAP reauthentication.

Assign Context-Aware Access control

Using Context-Aware Access, you can control which private apps a user can access based on their context, such as whether their device complies with your IT policy. 

For example, you can create granular access control policies for apps that access Google Workspace data based on attributes such as user identity, location, device security status, and IP address.

For details, see Assign access levels to private apps.

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
Contact us Tell us more and we’ll help you get there
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Main menu
6181994312045653281
true
Search Help Center
true
true
true
true
true
73010
false
false