[leg100]

Many organizations insist on making everything private, i.e. running on an RFC1918 IP address, within the corporate 'perimeter', cloud included.

True, a cloud has an API, and that tends to be public rather than private, and that doesn't play well with the above approach.

There are some band-aids for this, such as Google Cloud's VPC service controls, which restricts which clients can access the Cloud API, providing a second layer of defence to IAM.

Personally I find this approach retrograde, because it assigns an element of trust to entities within the perimeter, whereas the BeyondCorp zero-trust approach does not, and plays well with the way public clouds have been designed (public endpoints).