Notification

Duet AI is now Gemini for Google Workspace. Learn more

Pagina pe care ați solicitat-o nu este disponibilă în limba dvs. Puteți să selectați altă limbă din partea de jos a paginii sau să traduceți instantaneu orice pagină web în limba dorită folosind funcția încorporată de traducere din Google Chrome.

Deploy private web apps

Private web applications are created for an organization's internal users, such as employees and contractors. These apps can be deployed using Chrome Enterprise Premium in the Workspace Admin console.

Add the app to your Workspace account

Private apps can be hosted on Google Cloud, another cloud provider, or an on-prem data center.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenWeb and mobile apps.

  3. Click Add appand thenAdd private web app.
  4. Under Application Details, enter an app name and URL where users access the app.
  5. Specify where your application is hosted:
  6. Click Add application.

Settings for apps hosted on Google Cloud

Create a Private Service Connect (PSC) URL to connect the private apps in your environment.

To set up the PSC URL, create an Internal Load Balancer and then create a service attachment that uses an internal IP address. 

Create an Internal Load Balancer

Private apps in Google Workspace should be published behind an internal load balancer with global access enabled. For details, see Publish a service with automatic approval.

Create an Internal Load Balancer for Compute or GKE resource

  1. In the Google Cloud console, go to the Load balancing page.
  2. Click Create Load Balancer.
  3. Click Start Configuration for Network Load Balancer (TCP/SSL).
    • For Internet facing or internal only, select Only between my VMs.
    • Do not change the remaining default values.
    • Click Continue.
  4. Enter the load balancer name and select the region and network where the load balancer will be deployed.
  5. Select the Backend configuration tab
    • Select the Backend Type of your resource. For example, the network endpoint group.
    • Provide the health check that determines the health of your service and the firewall setup. For example, ping a port.
    • Do not change the remaining default values.
  6. Select the Frontend configuration tab
    • Select Enable for global access.
    • Select the subnetwork.
    • Enter the port number.
    • Do not change the remaining default values.
  7. Click Create.

Create an Internal Load Balancer for Cloud Run resource

  1. In the Google Cloud console, go to the Load balancing page.
  2. Click Create Load Balancer.
  3. Click Start Configuration for application load balancer (HTTP/S).
    1. Select Only between my VMs or Serverless services.
    2. Click Continue.
  4. Enter the load balancer name and select the region and network where the load balancer will be deployed.
  5. Select the Frontend configuration tab
    1. Select the subnetwork.
    2. Complete the onscreen steps to reserve a subnet if you haven't done so already.
  6. Select the Backend configuration tab.
    1. Create or select the backend service.
    2. If creating a service, select the serverless network endpoint group.
  7. Click Create.

Create the Service Attachment URL

To set up the PSC URL, create a service attachment that uses an internal IP address.

  1. In the Google Cloud console, go to the Private Service Connect page.
  2. Click the Publish service tab.
  3. Click Publish service.
  4. Select the Load balancer type for the service that you want to publish:
    • Internal passthrough Network Load Balancer
    • Regional internal proxy Network Load Balancer
    • Regional internal Application Load Balancer
  5. Select the Internal load balancer that hosts the service that you want to publish.
    The network and region fields are populated with the details for the selected internal load balancer.
  6. For Service name, enter a name for the service attachment.
  7. Select one or more Subnets for the service. If you want to add a new subnet, you can create one:
    • Click Reserve new subnet
    • Enter a Name and optional Description for the subnet.
    • Select a Region for the subnet.
    • Enter the IP range to use for the subnet and click Add.
  8. Select Automatically accept connections.
  9. Click Add service.
  10. Click the published service. The Service Attachment field contains the service attachment name. The URL is:
    https://www.googleapis.com/compute/v1/SERVICE_ATTACHMENT_NAME

Settings for apps hosted on other cloud providers or on-prem data centers

To securely connect your cloud or on-prem network to the Google cloud, add an app connector.

App connectors allow you to securely connect your application from other clouds to Google without a site-to-site VPN. 

Create a VM on the non-Google network 

Each app connector remote agent must be installed on a dedicated virtual machine (VM) or any Bare Metal server in the non-Google environment.

  • To create the VM, ask your network administrator for assistance or follow the instructions provided by your cloud provider.
  • Docker is also required on each VM or server to run the remote agent. 
  • Ensure that the remote agent VM network firewall allows all outbound traffic initiated at port 443 for the IAP-TCP IP range 35.235.240.0/20. See Verify the firewall configuration for other domains that the remote agent VM firewall should allow outbound traffic to.

Add an app connector and install the remote agent

App connectors require that a remote agent be installed and run on each non-Google network where your apps are hosted. The remote agent initiates and maintains the secure network connection and routes traffic between Google Workspace and the application.

  1. Add an app connector:
    1. Sign in to your Google Admin console.

      Sign in using your administrator account (does not end in @gmail.com).

    2. In the Admin console, go to Menu and then Appsand thenWeb and mobile apps.

    3. Click the Chrome Enterprise Premium Connectors tab.
    4. Click Add connector.
    5. Enter a name for the connector. For example: connect-myapp.
    6. Select a region close to the non-Google environment.
    7. Click Add connector.
    8. To view the status, on the top right, click and thenYour tasks.
  2. Create a virtual machine (VM) instance to host the remote agent.
    Follow the instructions provided by your network administrator or cloud provider. See Create a VM on the non-Google network.
  3. Install a remote agent.
    1. Click the app connector name.
    2. Click Install remote agent.
    3. On the non-Google environment, install the remote agent:
      • Create a virtual machine (VM) instance to host the remote agent. Follow the instructions provided by your network administrator or cloud provider.
      • Install Docker, which is required to run the remote agent. For instructions, see the online documentation to install Docker Engine.
      • Install and enroll the remote agent using the CLI commands displayed in the Google Workspace app connector page.
      • Copy and paste the public key that is displayed after the remote agent is successfully enrolled. 
    4. Click Save.

The app connector page should show that a public key was successfully added.

Restrict access and authentication

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenWeb and mobile apps.

  3. Click the Apps tab and then click an app to open the details page.
  4. Click Advanced settings.
    • 403 landing page—Enter the web address where users will be redirected if they are denied access to the app. Use the format https://<url>.
    • Authentication domain—Enter the single sign-on (SSO) URL for your organization to allow users to login using their organization credentials. This also denies access to users who do not have valid credentials for your Workspace domain. Use the format sso.your.org.com
    • Allowed domains—Check the Enable allowed domains box to restrict user access to only the specified domains. Separate entries with a comma.  For example: test.your.org.com, prod.your.org.com.
    • Reauthentication—Use these options to require users to reauthenticate after a period of time.  For example, you can, a touch security key or 2-step verification.
  • Login: Require users to reauthenticate with a username/password after being logged in for the specified amount of time.
  • Secure key: Require users to reauthenticate using their security-key.
  • Enrolled second factors: Require users to reauthenticate using a second factor authentication (2FA) method.

For more information, see IAP reauthentication.

Assign context-aware access control

Using Context-Aware Access, you can control which private apps a user can access based on their context, such as whether their device complies with your IT policy. 

For example, you can create granular access control policies for apps that access Workspace data based on attributes such as user identity, location, device security status, and IP address.

For details, see Assign access levels to private apps.

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
Contact us Tell us more and we’ll help you get there
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Main menu
6227822285431416165
true
Search Help Center
true
true
true
true
true
73010
false
false