Configure IAP to authenticate web access to the CLB domain and path
フォーカスモード
フォントサイズ
最終更新日: 2025-01-16 09:44:05
Identity Aware Platform (IAP) binds to the CLB listener via domain names and paths, enabling authentication and permission control for HTTPS web traffic passing through the CLB listener. This document will describe how to authenticate the domain names and paths already added to CLB by using IAP.
Prerequisites
You have successfully created an HTTP or HTTPS listener, and the domain name can be normally accessed. CLB does not support IAP authentication for the HTTP/1.0 protocol.For more information, please refer to Getting Started with CLB.
Directions
Step 1: Confirm the CLB Domain Name Configuration
This document takes the protection www.example.com domain name as an example.
1. Log in to the CLB console and click Instance Management in the left sidebar.
2. On the Instance Management page, select the region. In the instance list, click the Operation column on the right side of the target instance, then select Configure Listener.
3. In the HTTP/HTTPS Listener area on the Listener Management tab, click + on the left of the target listener to view domain name details.
4. Check the CLB domain name configuration: The CLB instance ID is "lb-****", the listener name is "test", and the domain name monitored by the listener forwarding rule is www.example.com. The details page on the right provides a link to the IAP configuration.
Step 2: In the IAP, Enable or Disable the Authentication Feature for the Domain Name and Path
By clicking the IAP link in Step 1, you can enter the IAP configuration page, where you can enable or disable the IAP feature for the domain name and path under the CLB instance.
1. Log in to IAP console, and select Instance Management in the left sidebar.
2. On the Instance Management page, select CLB Instance > Listener > URL, to enable/disable IAP.
Field Description
Domain name: The domain name that needs IAP configuration www.example.com.
URL: The specific path /.
IAP Authentication: The switch for IAP authentication.
Policy: The forwarding behavior of CLB when the IAP authentication service is unavailable.
Note:
The default is "Reject". When the IAP service is unavailable in extreme cases, CLB will block customer requests.
Step 3: Navigate to CAM to Configure the Relevant Policies
This document uses the configuration of authentication for www.example.com/ as an example.
1. Log in to the CAM console. In the left navigation bar, click Policies.
2. On the Policies page, click Create Custom Policy.
3. On the Create Custom Policy tab, select Allow for the effect, select Cloud Load Balancer Identity Auth(clbia) for the service, and select All for the action. Fill in the resource content based on the 6-Segment Resource Description format.
1. IAP is enabled at the URL dimension, authenticating domain name + URL traffic passing through the CLB listener. To verify whether IAP is effective, please ensure that your local computer can normally access the domain names added under different CLB instances.
Note:
To verify whether the access to domain names added in CLB is normal, for IPv4 domain name requests, please refer to Verifying CLB Service under Getting Started with CLB, and for IPv6 domain name requests, please refer to Step 4: Test IPv6 CLB under Getting Started with IPv6 CLB.
2. Enter the URL http://www.example.com/ in the browser and visit it. If the browser redirects to the login page, it indicates that the IAP authentication feature is functioning normally.
Note:
www.example.com is the domain name used in this example. You need to replace this domain name with the actual domain name you have added.
