[brandon]

Historically at Google the exceptions fell into one of a few buckets:

* You used a modified client or client proxy (this was done for e.g. SSH)

* You used a remote-desktop protocol to remote into a machine with direct network access to the service

* The service got a wholesale exemption and was allowed through the firewall with ordinary IP ACLs

(descending order of impressiveness wrt the BeyondCorp philosophy and whitepaper)

Some of this is discussed in the "Non-HTTP Protocols" section of this paper: https://www.usenix.org/system/files/login/articles/login_win...

[Spivak]

Why would you ever need option 2/3 when the IAP exists? Is there stuff that doesn’t work over a tunneled connection?

[__float]

the iap is an http proxy, so you need a way to send non-http traffic. this might require client modifications (not everything is proxy-aware), and you can't always modify the source.

some protocols are udp and latency sensitive, which doesn't work well enough tunneled