Implementing Zero Trust Network Access

Workflow

Step 1: Deploy GCP Identity-Aware Proxy (IAP) for Application Access

Configure IAP to provide authenticated access to web applications without VPN.

# Enable IAP API
gcloud services enable iap.googleapis.com

# Configure OAuth consent screen
gcloud iap oauth-brands create \
  --application_title="Corporate Apps" \
  [email protected]

# Enable IAP on an App Engine application
gcloud iap web enable \
  --resource-type=app-engine \
  --oauth2-client-id=CLIENT_ID \
  --oauth2-client-secret=CLIENT_SECRET

# Enable IAP on a backend service (GCE/GKE)
gcloud compute backend-services update BACKEND_SERVICE \
  --iap=enabled,oauth2-client-id=CLIENT_ID,oauth2-client-secret=CLIENT_SECRET \
  --global

# Set IAP access policy (who can access)
gcloud iap web add-iam-policy-binding \
  --resource-type=app-engine \
  --member="group:[email protected]" \
  --role="roles/iap.httpsResourceAccessor"

# Configure access levels based on device and context
gcloud access-context-manager levels create corporate-device \
  --title="Corporate Managed Device" \
  --basic-level-spec=level-spec.yaml \
  --policy=POLICY_ID

Step 2: Implement AWS Verified Access for Zero Trust

Deploy AWS Verified Access to provide identity-based access to internal applications.

# Create a Verified Access trust provider (OIDC)
aws ec2 create-verified-access-trust-provider \
  --trust-provider-type user \
  --user-trust-provider-type oidc \
  --oidc-options '{
    "Issuer": "https://login.microsoftonline.com/TENANT_ID/v2.0",
    "AuthorizationEndpoint": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize",
    "TokenEndpoint": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token",
    "UserInfoEndpoint": "https://graph.microsoft.com/oidc/userinfo",
    "ClientId": "CLIENT_ID",
    "ClientSecret": "CLIENT_SECRET",
    "Scope": "openid profile email"
  }'

# Create a Verified Access instance
aws ec2 create-verified-access-instance \
  --description "Zero Trust Access Instance"

# Attach trust provider to instance
aws ec2 attach-verified-access-trust-provider \
  --verified-access-instance-id vai-INSTANCE_ID \
  --verified-access-trust-provider-id vatp-PROVIDER_ID

# Create a Verified Access group with policy
aws ec2 create-verified-access-group \
  --verified-access-instance-id vai-INSTANCE_ID \
  --policy-document '{
    "Version": "2012-10-17",
    "Statement": [{
      "Effect": "Allow",
      "Principal": "*",
      "Action": "verified-access:AllowAccess",
      "Condition": {
        "StringEquals": {
          "verified-access:user/groups": "engineering"
        }
      }
    }]
  }'

# Create endpoint for an internal application
aws ec2 create-verified-access-endpoint \
  --verified-access-group-id vag-GROUP_ID \
  --endpoint-type load-balancer \
  --attachment-type vpc \
  --domain-certificate-arn arn:aws:acm:REGION:ACCOUNT:certificate/CERT_ID \
  --application-domain app.internal.company.com \
  --endpoint-domain-prefix app \
  --load-balancer-options '{
    "LoadBalancerArn": "arn:aws:elasticloadbalancing:REGION:ACCOUNT:loadbalancer/app/internal-app/xxx",
    "Port": 443,
    "Protocol": "https",
    "SubnetIds": ["subnet-xxx"]
  }'

Step 3: Configure Azure Private Link and Conditional Access

Set up Azure Private Link for network isolation and conditional access for identity-based controls.

# Create Private Endpoint for an Azure service
az network private-endpoint create \
  --name app-private-endpoint \
  --resource-group production-rg \
  --vnet-name production-vnet \
  --subnet private-endpoint-subnet \
  --private-connection-resource-id /subscriptions/SUB_ID/resourceGroups/RG/providers/Microsoft.Web/sites/internal-app \
  --group-ids sites \
  --connection-name app-connection

# Configure private DNS zone for the service
az network private-dns zone create \
  --resource-group production-rg \
  --name privatelink.azurewebsites.net

az network private-dns link vnet create \
  --resource-group production-rg \
  --zone-name privatelink.azurewebsites.net \
  --name production-link \
  --virtual-network production-vnet \
  --registration-enabled false

# Create Conditional Access policy requiring compliant device + MFA
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"

$params = @{
    DisplayName = "Zero Trust - Require MFA and Compliant Device"
    State = "enabled"
    Conditions = @{
        Applications = @{
            IncludeApplications = @("All")
        }
        Users = @{
            IncludeUsers = @("All")
            ExcludeGroups = @("BreakGlass-Group-ID")
        }
        Locations = @{
            IncludeLocations = @("All")
            ExcludeLocations = @("AllTrusted")
        }
    }
    GrantControls = @{
        Operator = "AND"
        BuiltInControls = @("mfa", "compliantDevice")
    }
    SessionControls = @{
        SignInFrequency = @{
            Value = 4
            Type = "hours"
            IsEnabled = $true
        }
    }
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $params

Step 4: Implement Micro-Segmentation with Network Policies

Deploy network-level micro-segmentation to complement identity-based access controls.

# AWS: Create security groups for micro-segmentation
aws ec2 create-security-group \
  --group-name web-tier-sg \
  --description "Web tier - only HTTPS from ALB" \
  --vpc-id vpc-PROD

aws ec2 authorize-security-group-ingress \
  --group-id sg-WEB \
  --protocol tcp --port 443 \
  --source-group sg-ALB

aws ec2 create-security-group \
  --group-name app-tier-sg \
  --description "App tier - only from web tier"

aws ec2 authorize-security-group-ingress \
  --group-id sg-APP \
  --protocol tcp --port 8080 \
  --source-group sg-WEB

# Kubernetes NetworkPolicy for pod-level segmentation
cat << 'EOF' | kubectl apply -f -
apiVersion: networking.k8s.io/v1