Securing Multi-Cloud Applications using BeyondCorp Enterprise (BCE)

Join Sign in

Securing Multi-Cloud Applications using BeyondCorp Enterprise (BCE)

1 hour 30 minutes 5 Credits


Google Cloud self-paced labs logo


In this lab, you will configure BeyondCorp Enterprise (BCE) to restrict access to an application backends that reside on multiple cloud providers, in this case, GCP and AWS. This can be beneficial for the following use cases which benefit from BCE’s Zero Trust security model:

  • Securing 3rd party cloud provider applications i.e. SFDC, etc.

  • Securing and uniting infrastructure distributed between one or more cloud providers.

  • Securing migration from one cloud provider to another.

  • Simulating on-premise VPN connections.

  • Removing manual route configurations.

What you'll do

In this lab, you will be provided with a Google Cloud Project and an Amazon Web Services account. You will utilize the features of BeyondCorp Enterprise (BCE) to secure applications running on both clouds by:

  • Creating a GCP Cloud Router and VPN Gateway

  • Creating an AWS Customer Gateway, Virtual Private Gateway and Site to Site VPN Connection

  • Configuring the bi-directional VPN tunnels to enable application connectivity

  • Deploy the BeyondCorp Enterprise, Identity Aware Proxy (IAP) On-Prem Connector to protect traffic routed to AWS

Create GCP Cloud Router

  1. Open the GCP console and go to NETWORKING > Hybrid connectivity > Cloud routers > Create router

Use the following configuration for the cloud router:

  • Name: cloud-router

  • Network: default

  • Region: us-central1(lowa)

  • Google ASN value: 65001

  • Select Advertise all subnets visible to the Cloud Router in order to expose your subnets to BGP routing and to AWS router.

  1. Click Create.


Create GCP Cloud HA VPN gateway

  1. Go to NETWORKING > Hybrid connectivity > VPN > Create VPN Connection

  2. Select High-availability (HA) VPN then click Continue.


Use the following configuration for the VPN:

  • VPN Gateway Name: ha-vpn

  • Network: default

  • Region: us-central1(lowa)

  1. Click Create & Continue.
Note: You should now see two interfaces, interface 0 and interface 1 with IP addresses. Copy the IP address of interface 0. You will use this when creating your customer gateway in the AWS account provided.

As we don’t have anything configured in the AWS account we can skip the Add VPN Tunnels and Configure BGP sessions for now.


Create the AWS Customer Gateway

  1. Open the AWS console and go to VPC > Virtual Private Network (VPN) > Customer Gateways > Create Customer Gateway:

  • Name tag: gcp
  • BGP ASN: 65001
  • IP address: Enter the IP address from interface 0 from the "ha-vpn" in the GCP project

You can find the IP address of interface0 in the VPN section of the GCP console for the ha-vpn created earlier. interface0

  1. Click Create customer gateway

Create the AWS Virtual private gateway

  1. Go to VPC > Virtual Private Network (VPN) > Virtual Private Gateways > Create Virtual Private Gateway:

  • Name tag: vpn

  • Select Custom ASN and set: 65002

  1. Click Create Virtual Private Gateway.

After the Virtual Private gateway has been created, select the Virtual Private gateway and go to actions and Attach to VPC. Then select the Default VPC.

Click Attach to VPC.

Create AWS Site-to-site VPN Connection

  1. Go to VPC > Virtual Private Network (VPN) > Site-to-site VPN Connections > Create VPN Connection

  • Name tag: gcp

  • Target gateway type: Virtual private gateway

  • Virtual private gateway: {{Select the virtual private gateway you created previously}}

  • Customer gateway: Existing

  • Customer gateway ID: {{Select the customer gateway created previously}}

  • Routing options: Dynamic

  1. Leave the default values for the rest of the inputs and click Create VPN connection.

After the Site-to-site VPN connection is created, select the VPN connection and click on the download configuration.

When downloading the configuration, select:

  • Vendor: Cisco Systems, Inc.
  • Platform: ASA 5500 Series
  • Software: ASA 9.7+ VTI
  • IKE version: ikev1

Click Download.

Tunnels Configuration

On the Site-to-site VPN Connections page, click on Tunnel details to view the details. There will be two (2) tunnels with details. We will be using the first tunnel only.

Copy the following values which will be used in your GCP project to create the Peer VPN Gateway, create a VPN tunnel and configure BGP.

  • The first Outside IP address will be used to create the peer VPN gateway in GCP
  • When configuring the BGP session we will be using the Inside tunnel subnet values:
    • Calculating Cloud Router IP - GCP link:

    • Take the Inside tunnel subnet IP address + 2

    • Calculating BGP Peer IP - AWS link:

    • Take the Inside tunnel subnet IP address + 1

An example of these calculations is provided in the below table. Your values will vary from the provided example!

Tunnel Example Values
Tunnel 1 Sample values:
  • Public IP =
  • Inside tunnel subnet =
  • AWS link = + 1 =
  • GCP link = + 2 =
Note: your values will be different from the example above.

Open the configuration text file from the previous step and search for ikev1 pre-shared-key. Save this value for use later.

Example configuration below:

tunnel-group type ipsec-l2l tunnel-group ipsec-attributes ikev1 pre-shared-key tp7l1ntVwSVzxfr5o0USGHiEyZU7pXph Note: your values will be different from the example above.

Create GCP Cloud VPN tunnels

  1. Open GCP console and navigate to NETWORKING > Hybrid connectivity > VPN > Peer VPN Gateways > Create Peer VPN Gateway:

  • Name: aws-vpn

  • Interfaces: One interface

  • Interface 0 IP address: Enter the Outside IP address from Tunnel 1 from your AWS site-to-site connections

  1. Click Create.

  2. Navigate to Cloud VPN Tunnels tab, then click Create VPN Tunnel:

Make sure the following fields are set when you create the VPN tunnel:

  • VPN gateway: ha-vpn
  • Peer VPN gateway: aws-vpn
  • Cloud Router: cloud-router
  • Associated peer VPN gateway interface: outside IP of tunnel 1 (and tunnel 2 for when you set up the second VPN tunnel)
  • Set a Name of your choice.
  • IKE version: IKEv1
  • Set IKE pre-shared key to what you copied earlier from the configuration txt file.

Click Create and continue.

When creating the BGP session:

  • Enter a name for your BGP session

  • Peer ASN: 65002

  • Allocate BGP IPv4 address: Select Manually

  • Cloud Router BGP IP: GCP link of tunnel1, which you calculated earlier

  • BGP Peer IP: AWS link of tunnel1, which you calculated earlier

  1. Click Save & Continue.


Build a Virtual Private Network between AWS and Google Cloud

Enable Route Propagation in AWS Route Table

  1. Open AWS console and go to VPC > Route tables

  2. Select the Route table of the VPC (Default)

  3. Click on the Route Propagation tab then click Edit route propagation:

Check the box to enable propagation in the edit mode of the routing table.

  1. Click Save.

Test the connectivity

Creating instance in AWS

  1. Go to EC2 in your AWS account, then click Launch Instance to create the EC2 VM:
  1. Use the following configuration:

  • Name: my-aws-server
  • In the key pair (login) section, click create a new key pair:
    • key pair name: ec2
    • key pair type: RSA
    • private key format: .pem
    • Click Create key pair.
Note: Save the downloaded ec2.pem file. You will use this file later to SSH to the instance.

Under Network settings enable the following:

  • Allow HTTPs traffic from the internet
  • Allow HTTP traffic from the internet

Click on the Edit icon in the top right of the Networking Settings sections and add the following custom security group. Click add security group rule:

  • Type: Custom TCP
  • Port range: 8080
  • Source type: Custom
  • Source:
configure security group
  1. Click Launch instance.

After the EC2 instance is created, click on View all instances and select the instance you created to view its details. Copy the Public IPv4 DNS.


Connect to your AWS instance

  1. After the EC2 instance is created, open Cloud Shell in your Google Cloud Platform project:
  • Upload the key (ec2.pem file) to your local Cloud Shell session running in GCP. You can do this by selecting the three dot menu at the top right of Cloud Shell and selecting Upload. You will be prompted to upload a file or folder in the resulting modal input box. Upload your ec2.pem file then proceed.

  1. Run this command to ensure your key is not publicly viewable:

chmod 400 ec2.pem
  1. In Cloud Shell, connect to your instance using its Public DNS. Remember to replace the Public DNS below with the one you copied previously:


ssh -i "ec2.pem"
  1. Type yes to continue connecting.

Once you log in you should see the following:

public DNS connect

  1. Run the following command in your SSH session for EC2 to install the netcat package

sudo yum update sudo yum install nc

If prompted enter y to continue.

Creating instance in GCP

  1. In your Google Cloud Project, navigate to Compute Engine > VM instances > CREATE INSTANCE to create a Compute Engine instance with the following configuration

    • Name: my-gcp-vm
    • Region: us-central1
    • Zone: us-central1-a
  2. Under Firewall Allow HTTP traffic. Then click Create to create your instance.

  3. Once your instance is created, click SSH to connect to your instance.

  4. Run the following command to install netcat. Hit enter if prompted to confirm.

sudo apt-get install netcat

Netcat from GCP to AWS

  1. In your Cloud Shell session connected to your AWS EC2 instance run the following command to listen on port 8080 using netcat:

nc -l -p 8080
  1. Run the following command from your GCP VM ssh session to send a message to your AWS instance.
Note: Replace the following in curly braces with your internal IP address for your instance from AWS. echo "Hello from GCP" | nc {replace with IP from AWS} 8080

You should be able to see your message "Hello from GCP" in the AWS session.

Create VM instances

Run a web server on the EC2 instance (Link)

Make sure you are still connected to your EC2 instance in Cloud Shell.

  1. Press CTRL+C to stop listening to port 8080.

  2. Run the following command(s):

sudo yum update -y sudo amazon-linux-extras install -y lamp-mariadb10.2-php7.2 php7.2
  1. Install the Apache web server:

sudo yum install -y httpd
  1. Start the web server with the command shown below

sudo systemctl start httpd

Use the public IPV4 Public IPv4 DNS you copied previously to visit the webpage of your EC2 instance. It should resemble the URL below:

  1. Open the URL and ensure you see a webpage similar to the following:

test page

Create an OAuth Consent Screen

  1. Open the GCP Console and go to APIs & Services > OAuth consent screen.

  2. Select the user type Internal, then click Create.

  3. Create an OAuth Consent Screen with the following properties:

test page test page test page

For the Developer contact information Email addresses, use the Username of the qwiklabs user provided for this lab.

Confirm OAuth Consent has been setup

Create Self-Signed Certificate and OAuth Client

  1. Create a private key and certificate:

Open a new Cloud Shell session and run the openssl command to generate an RSA-2048 key.

openssl genrsa -out PRIVATE_KEY_FILE 2048
  1. Create an SSL config file called ssl_config.

touch ssl_config
  1. Use the following configuration for the contents of the file. You can either edit the file using vi or click the Open Editor button on the top right of Cloud Shell:

[req] default_bits = 2048 req_extensions = extension_requirements distinguished_name = dn_requirements prompt = no [extension_requirements] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [dn_requirements] countryName = US stateOrProvinceName = CA localityName = Mountain View 0.organizationName = Cloud organizationalUnitName = Example commonName = Test Note: To create a file via the console, type vi FILE_NAME this will open a vi editor. Press i to change text in the file as desired. Press the Esc key to quit the editing mode and type :x to save and exit the vi editor.
  1. Run the following OpenSSL command to create a certificate signing request (CSR) file.

openssl req -new -key PRIVATE_KEY_FILE \ -out CSR_FILE \ -config ssl_config

Sign the CSR

Using a Self-Signed Certificate

When using the same private key to create a Certificate Signing Request (CSR) to sign a CSR, you create a self-signed certificate.

Self-signed certificates are not trusted by clients unless the client is configured to skip certificate validation. For example, a web browser displays a message asking you if you want to trust a self-signed certificate before allowing you to proceed to a website using a self-signed certificate. You should only use self-signed certificates for testing or ephemeral scenarios like this lab.

  1. To create a self-signed certificate, run the following OpenSSL command:

openssl x509 -req \ -signkey PRIVATE_KEY_FILE \ -in CSR_FILE \ -out CERTIFICATE_FILE.pem \ -extfile ssl_config \ -extensions extension_requirements \ -days 365

Step 2: Create a self-managed SSL certificate resource

  1. Now that you have created a self-signed certificate. Run the following command to create a self-managed SSL certificate in Cloud Shell. Click Authorize if prompted.

gcloud compute ssl-certificates create my-cert \ --certificate=CERTIFICATE_FILE.pem \ --private-key=PRIVATE_KEY_FILE \ --global

Creating an IAP connector deployment

  1. Prior to performing the following steps, set the following environment variables:

export PROJECT_ID=$(gcloud config get-value project) export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")

Run the following commands to update service account permissions required:

gcloud projects add-iam-policy-binding $PROJECT_ID --member=serviceAccount:$ --role=roles/owner gcloud projects add-iam-policy-binding $PROJECT_ID --member=serviceAccount:$ --role=roles/owner
  1. Go to Security > Identity-Aware Proxy. Enable the API then click Go To Identity-Aware Proxy.

  2. Click CONNECT NEW APPLICATION > Connect via On-Prem Connector to configure your IAP connector.

  • Click Enable APIs and Continue

  • Select the User generated certificate

  • Select certificate you created: my-cert

  • Select the default network and leave Subnet unselected.

  1. On the next page, "On-premises App Details", configure your app like below:

Your public IPV4 Public IPv4 DNS should resemble the following {{}}:

  • External facing application URL: {{IPV4 Public IPv4 DNS}}

  • Application name: demo-app

  • Region: us-central1

  • On-prem endpoint type: Fully Qualified Domain Name (FQDN)

  1. Replace the following with your public IPV4 Public IPv4 DNS:

  • FQDN endpoint: {{IPV4 Public IPv4 DNS}}
  • Protocol: HTTP
  • Port: 80

Click Done and then Submit.

onpremises app details

After seeing the error warning sign in the status component:

  • Toggle IAP for the load balancer
  • Then turn it on

turn on iap

Configure the on-prem IAP connector

Testing Connectivity

  1. Navigate to Network services > Load balancing and select frontend.

  2. Select the HTTPS load balancer—you should see information like the following:

http load balancer
  1. Copy the External IP address.

  2. Run the following curl command to hit the external IP address:

curl -kvi https://EXTERNAL_IP

You will see an IAP generated response that is true. This means you have successfully configured IAP for your AWS resource

iap response Note: If you are not receiving the correct output. You may have to wait around 10 minutes until the IAP generated response configures correctly. Then try the curl command again.
  • This should show the 302 redirection to
  • If you follow the URL, you should see a page similar to the following:
google signin

Because you used a self-signed cert, you won’t be able to access the application itself. However, this confirms that IAP is configured and is protecting traffic.


You created a Cloud Router and VPN Gateway in Google Cloud Platform. Then you created a Customer Gateway, Virtual Private Gateway and Site to Site VPN connection in Amazon Web Services. You then configured the bi-directional VPN tunnels to enable application connectivity. Finally you deployed BeyondCorp Enterprise, Identity Aware Proxy (IAP) On-Prem Connector to protect traffic routed to AWS.

Next Steps / Learn More

Google Cloud training and certification

...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.

End your lab

When you have completed your lab, click End Lab. Your account and the resources you've used are removed from the lab platform.

You will be given an opportunity to rate the lab experience. Select the applicable number of stars, type a comment, and then click Submit.

The number of stars indicates the following:

  • 1 star = Very dissatisfied
  • 2 stars = Dissatisfied
  • 3 stars = Neutral
  • 4 stars = Satisfied
  • 5 stars = Very satisfied

You can close the dialog box if you don't want to provide feedback.

For feedback, suggestions, or corrections, please use the Support tab.

Manual Last Updated: December 08, 2022

Lab Last Tested: December 08, 2022

Copyright 2023 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.