[yegle]

Looks like Google's BeyondCorp: https://cloud.google.com/beyondcorp. If you are on GCP, you can already use it https://cloud.google.com/iap to protect your HTTP and TCP backend.

This is not something new. The earliest open source project that I can recall is https://github.com/bitly/oauth2_proxy (albeit it might be missing the part where proxy passing identity to the backend).

Pomerium is another open source project that's actively maintained. I've been using it as a reverse proxy to all my homelab websites (grafana, miniflux etc). I can now safely access all of these internal resources from outside of my home WiFi with automated SSL certificate configuration and renewal.

You can theoretically protect your SSH connection via these IAP proxies, using the Chrome SSH extension and open source SSH relay implementation like https://github.com/zyclonite/nassh-relay (but I personally haven't tried that).

Disclaimer: I work for Google and am a casual contributor to the Pomerium project.

[windexh8er]

Also looks very much like Gravitational Teleport [0], which has been amazing to use. Teleport has a lot of advantages over Boundary right now based on it's architecture. But Hashi does a good job of iterating quickly, so I'd guess as with most of their products, it evolves quickly.

[0] https://gravitational.com/teleport/

Disclaimer: I have no affiliation with any of these companies.

[res0nat0r]

Also similar to Cloudflare One which was just announced: https://blog.cloudflare.com/introducing-cloudflare-one/

I think moving away from VPN's is gaining more adoption and a good thing overall.

[francislavoie]

Looks like RBAC and SSO are paid features with Teleport (but I may be misunderstanding)

[windexh8er]

RBAC is paid for, but "Enterprise SSO" is different than the SSO supported in the Community Edition - it's described on their site as: "SSO with Enterprise Identity". They list: Okta, Sailpoint, Active Directory, OneLogin, G Suite, and Auth0 as examples. But, you still get SSO in Community Edition.

[francislavoie]

My company self-hosts LDAP, so that's essentially a dealbreaker for us.

[aprdm]

Even if they were the same a big difference is that Hashicorp tools usually work on prems and are OSS.

By default I expect google to try to lock me in the GCP and do not trust their OSS tools

[sshahone]

Since you mentioned you're a contributor to a similar project, I invite you to check our recently released zero trust service access control solution: https://github.com/seknox/trasa

It's a BeyondCorp like a user identity and layer 7 aware access proxy for RDP, SSH, Web, and Database protocols with privileged access management, native two-factor auth agents, and device trust policies.

Disclaimer: I am a core maintainer of this project.

[cratermoon]

I immediately thought of BeyondCorp as well, and I have only read the papers about it. At my employer, which isn't even that large, we have on-prem hardware running VMs and k8s, some stuff in AWS, some stuff in Azure, and employees all over the world with various devices coming in through a VPN.

The old distinction of "internal network" and "external network" doesn't make much sense.

[ko5ta]

Is using IAM with managed serverless products (Run, Functions) effectively same as using IAP+VMs? Curious if there is a world in which managed Cloud Run + IAP makes sense.

[cbsmith]

...and they all looks like SOCKS5 proxies...

[look_lookatme]

You can use https://github.com/cloudflare/nginx-google-oauth to do this with nginx too.

[tehalex]

I've used this before & it was great - however both this and the bitly oauth2 proxy linked about are archived.

https://github.com/oauth2-proxy/oauth2-proxy is a maintained fork.