Deploy private web apps

Private web applications are used by your organization's internal users, such as employees and contractors. You can deploy these apps using Chrome Enterprise Premium in the Google Admin console.

Add the app to your Google Workspace account

Private apps are hosted on Google Cloud, another cloud provider, or an on-premises data center.

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
In the Admin console, go to Menu AppsWeb and mobile apps.
Click Add appAdd private web app.
In the Application Details section, enter an app name and URL where users access the app.
Specify where your application is hosted:
- Apps hosted on Google Cloud—Enter the Private Service Connect (PSC) URL under Application Host Details. For details, see Settings for apps hosted on Google Cloud.
- HTTPS apps hosted on another cloud provider—Enter the internal URL and port number. HTTP apps are not supported. For details, see Settings for apps hosted on other cloud providers or on-premises data centers.
  
  For best performance, select a region closest to where the application is hosted, and then choose the app connectors required to connect your application.
Click Add application.

Settings for apps hosted on Google Cloud

Create a Private Service Connect (PSC) URL to connect the private apps in your environment.

To set up the PSC URL, create an internal load balancer, and then create a service attachment that uses an internal IP address.

Create an internal load balancer

You should publish private apps in private apps in Google Workspace behind an internal load balancer with global access enabled. For details, see Publish a service with automatic approval.

Create an Internal Load Balancer for Compute or GKE resource

Before you begin: To allow secure HTTPS communication, set up an instance group configured to serve requests on port 443. Select the instance group in the Backend configuration tab.

In the Google Cloud console, go to the Load balancing page.
Click Create Load Balancer.
Click Start Configuration for Network Load Balancer (TCP/SSL) and select the following:
1. For Type of load balancer—Network Load Balancer (TCP/UDP/SSL).
2. For Proxy or passthrough—Passthrough.
3. For Internet facing or internal only—Internal.
4. Click Next.
5. Click Continue.
Enter the load balancer name, and select the region and network where you will deploy the load balancer.
Important: The network you choose for the load balancer must be the same network used by your instance group.
Click the Backend configuration tab.
1. For Protocol—Select TCP.
2. For IP stack type—Select IPv4.
3. Select an instance group.
  To create one, go to Instance groups.
4. Select a health check from the list. To create a new health check:
  1. Select Create health check.
  2. Enter a name for your health check (for example: ping-port).
  3. Select regional scope.
  4. For the protocol, select HTTPS.
  5. Keep the port as 443.
  6. For Proxy protocol, select NONE.
  7. For Request path, leave "/".
  8. Enable logs.
  9. Keep the default values for the health criteria.
Click the Frontend configuration tab
1. (Optional) Enter a name for the frontend.
2. For IP version, select IPv4.
3. Select a subnetwork.
4. For internal IP purpose, select Non-shared.
5. For ports, select Single.
6. Enter port number 443.
7. For Global access, select Enable.
Click the Review and finalize tab to review your load balancer configuration settings.
Click Create.

Create an internal Load Balancer for a Cloud Run resource

In the Google Cloud console, go to the Load balancing page.
Click Create Load Balancer.
Click Start Configuration for application load balancer (HTTP/S) and select the following.
1. For Type of load balancer—Select Application Load Balancer (HTTP/HTTPS).
2. For Internet facing or internal only—Select internal.
3. For Cross-region or single region deployment—Select single region.
4. Click Next.
5. Click Configure.
Enter the load balancer name and select the region and network where the load balancer will be deployed.
Click the Backend configuration tab.
1. Create or select the backend service.
2. If creating a service, for Backend type, select Serverless Network Endpoint Group and select a network endpoint group.
3. If you don’t have a serverless network endpoint, select the option to create a new one.
  Before creating the serverless network endpoint group, create a Cloud Run service that the endpoint group will point to.
Click the Frontend configuration tab
1. For Protocol—Select HTTPS.
2. Select the subnetwork.
3. If you haven't reserved a subnet yet, complete the onscreen steps.
4. Enable global access.
5. For the certificate, select to create a new one or choose an existing certificate.
Click Create.

Create the service attachment URL

To set up the PSC URL, create a service attachment that uses an internal IP address.

In the Google Cloud console, go to the Private Service Connect page.
Click the Publish service tab.
Click Publish service.
Select the Load balancer type for the service that you want to publish:
- Internal passthrough Network Load Balancer
- Regional internal proxy Network Load Balancer
- Regional internal Application Load Balancer
Select the Internal load balancer that hosts the service that you want to publish.
The network and region fields are populated with the details for the selected internal load balancer.
For Service name, enter a name for the service attachment.
Select one or more Subnets for the service. If you want to add a new subnet, you can create one:
1. Click Reserve new subnet.
2. Enter a Name and optional Description for the subnet.
3. Select a Region for the subnet.
4. Enter the IP range to use for the subnet and click Add.
For Connection preference, select Automatically accept all connections.
Click Add service.
Click the published service. Use the service attachment name in the Service attachment field to create the URL:
https://www.googleapis.com/compute/v1/SERVICE_ATTACHMENT_NAME

When you add your private app in Google Workspace, use this URL. See Add the app to your Workspace account.

Settings for apps hosted on other cloud providers or on-premises data centers

To securely connect your cloud or on-prem network to to Google Cloud, add an app connector.

App connectors allow you to securely connect your application from other clouds to Google without a site-to-site Virtual Private Network (VPN).

Create a VM on the non-Google network

You must install each app connector remote agent on a dedicated virtual machine (VM) or on any bare metal server in the non-Google environment.

To create the VM, ask your network administrator for assistance or follow the instructions provided by your cloud provider.
To run the remote agent, use Docker on each VM or server.
Ensure that the network firewall for the remote agent VM allows all outbound traffic initiated at port 443 for the IAP-TCP IP range 35.235.240.0/20. See Verify the firewall configuration for other domains that the firewall for the remote agent VM should allow outbound traffic to.

Add an app connector and install the remote agent

Add an app connector:
1. Sign in to your Google Admin console.
  Sign in using your administrator account (does not end in @gmail.com).
2. In the Admin console, go to Menu AppsWeb and mobile apps.
3. Click the BeyondCorp Enterprise (BCE) Connectors tab.
4. Click Add connector.
5. Enter a name for the connector, for example: connect-myapp.
6. Select a region close to the non-Google environment.
7. Click Add connector.
8. To view the status, on the top right, click Your tasks.
Create a VM instance to host the remote agent.
Follow the instructions provided by your network administrator or cloud provider. See Create a VM on the non-Google network.
Install a remote agent.
1. Click the app connector name.
2. Click Install remote agent.
3. On the non-Google environment, install the remote agent:
  - Create a virtual machine (VM) instance to host the remote agent. Follow the instructions provided by your network administrator or cloud provider.
  - Install Docker, which is required to run the remote agent. For instructions, see the online documentation to install Docker Engine.
  - Install and enroll the remote agent using the command-line interface (CLI) commands displayed on the Google Workspace app connector page.
  - Copy and paste the public key that is displayed after the remote agent is successfully enrolled.
4. Click Save.

The app connector page shows that you successfully added a public key.

Restrict access and authentication

The admin who created the app can decide under what conditions a user should be able to access the app. For example, you can limit access to users from a specific domain or only allow access during certain times or days. If access is denied, the user is redirected to a specific page.

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
In the Admin console, go to Menu AppsWeb and mobile apps.
Click the Apps tab click an app to open the details page.
Click Advanced settings.

403 landing page—Enter the web address where users will be redirected if they are denied access to the app. Use the format https://<url>.
Authentication domain—Enter the single sign-on (SSO) URL for your organization to allow users to sign in using their organization credentials. This also denies access to users who do not have valid credentials for your Google Workspace domain. Use the format sso.your.org.com.
Allowed domains—Check the Enable allowed domains box to restrict user access to only the specified domains. Separate entries with a comma, for example: test.your.org.com, prod.your.org.com.
Reauthentication—Use these options to require users to reauthenticate after a period of time. For example, users can touch a security key or use 2-Factor Authentication (2FA).
- Login: Require users to reauthenticate with a username and password after being logged in for the specified amount of time.
- Secure key: Require users to reauthenticate using their security key.
- Enrolled second factors: Require users to reauthenticate using 2-Factor Authentication (2FA).

For more information, see IAP reauthentication.

Assign Context-Aware Access control

Using Context-Aware Access, you can control which private apps a user can access based certain conditions, such as whether their device complies with your IT policy.

For example, you can create granular access control policies for apps that access Google Workspace data based on attributes such as user identity, location, device security status, and IP address.

For details, see Assign access levels to private apps.

Was this helpful?

How can we improve it?