Cloud IAP instead of VPN

The client — a mid-sized SaaS company with engineering, product, and QA teams spread across three time zones — had grown their internal tooling estate organically. Grafana dashboards, Kibana log explorers, a self-hosted Retool instance, and several staging environments for customer-facing services were all gated behind a single OpenVPN server running on an EC2 instance. Every new hire had to receive a pre-shared certificate, install the OpenVPN client, troubleshoot DNS split-tunneling on their particular OS, and then figure out which internal hostname mapped to which tool. On a good day this took two hours. On a bad day — a new MacBook with an unfamiliar network profile, or a contractor on Windows — it stretched across an entire afternoon with a senior engineer on a call.

The operational burden compounded over time. Certificate revocation was manual and error-prone: when a contractor’s engagement ended, there was no guarantee their cert was invalidated promptly. The VPN server itself became a single point of failure with no meaningful redundancy — a botched OpenVPN config push once locked out the entire engineering team for ninety minutes during an incident response. Licensing costs for the commercial VPN client they’d adopted were running $18 per user per month, and with headcount growing, finance had flagged it as a line item worth scrutinising. The team knew the architecture was fragile, but the path forward wasn’t obvious — they didn’t want to trade one painful VPN for another.

We replaced the VPN entirely with Google Cloud Identity-Aware Proxy, fronted by a Cloud Load Balancer with a Google-managed TLS certificate. The fundamental shift is architectural: instead of granting a user a network tunnel and trusting them to reach only what they’re supposed to, IAP sits in front of each internal application and enforces an identity check on every single request. The user’s browser is redirected to Google’s OAuth flow, their identity is verified against the company’s Google Workspace directory, and only if they belong to the correct group — grafana-readers@, retool-engineers@, and so on — does the request get forwarded to the backend. No client software, no certificates, no split-DNS.

We provisioned the entire IAP configuration in Terraform, which gave the client an auditable, version-controlled record of exactly who has access to what. Context-aware access policies added a second layer: even authenticated users are denied if they’re connecting from a device that hasn’t passed Chrome’s endpoint verification checks, or from a country outside the approved list. For the staging environments specifically, we configured IAP to accept requests from the CI/CD service account used in their GitHub Actions pipelines, so automated smoke tests continued to run without any human-in-the-loop authentication. The migration itself ran in parallel — IAP endpoints went live before the VPN was decommissioned, giving every team member time to verify access at their own pace before the old infrastructure was torn down.