Requirements
Access to your Google Cloud and Workspace account.
Level of Effort: 5/10
Estimated Time Required: 15–25 minutes
To enable traffic from CloudApps while Context-Aware Access is active in Google Workspace, you'll need to create a custom access level in the Google Cloud Console, which is part of Google Cloud Platform (GCP). This setup is separate from Google Workspace. A project in the Google Cloud is required to complete this step. After creating the custom access level, you will assign it to your Google Workspace apps. Below are the step-by-step instructions for this process.
Prerequisite for Google Cloud Console Setup
Before proceeding with Step 1 in the Google Cloud Console, it is essential to set up your Google Cloud Organization. For users unfamiliar with Google Cloud, please review the following information as a prerequisite.
Setting up an Organization:
Please refer to the guide for setting up and managing your Google Cloud resources by following this link: Setting up an Organization.
This guide provides all the necessary information to manage your GCP resources, including setting up the organization, and walks you through the steps needed to configure your environment before proceeding with the custom access level setup.
Step 1: Creating the Custom Access Level
Access Context Manager via the Google Cloud Console ((https://console.cloud.google.com/)
Open Google Cloud Console and search for Access Context Manager.
Once on the Access Context Manager page, click on CREATE ACCESS LEVEL.
Provide a name for the new access level and select Basic mode.
Configuring Conditions
Under Conditions, create an access level with an OR condition:
First, create the initial condition.
Condition 1
Set TRUE and specify geographic locations in the US.
Condition 2
After setting the first condition, click +ADD ANOTHER CONDITION and choose OR under "Combine conditions with."
Set TRUE
Click + IP subnetworks.
In the new IP Subnetworks section:
Select PRIVATE IP and click on SELECT VPC NETWORKS.
Under the Add VPC Networks panel, choose Manually enter VPC Network address (//compute.googleapis.com/projects/[project-id]/global/networks/[vpc-network-id]) from the dropdown menu.
Paste the VPC information provided by itopia during the configuration meeting.
Click ADD VPC NETWORK.
In the Select Subnets section:
Optional: Move on to next step
The completed access level should look like this:
Once all configurations are complete, click SAVE.
The access level once complete should look like this
Step 2: Using the Custom Access Level
Once the custom access level is created, the second step consists of assigning the level to your Google Workspace apps, so users won’t be blocked by Context-Aware Access policies.
Assigning the Access Level to Google Workspace Apps
Open the Google Workspace Admin Console and navigate to Security > Access and data control > Context-Aware Access.
Under the Assign access levels section, click Assign access levels to apps.
For the app you want to configure:
Click Actions and select Assign.
From the list of access levels, choose the rule created in Google Cloud Console by clicking Select for that rule. Ensure the boxes for Monitor and Active are checked. Click Continue.
Under Other enforcement settings, check Block users from accessing Google desktop and mobile apps if access levels aren’t met.
Review all settings and click ASSIGN.
Confirmation
The number of active access levels should increase once the setup is complete. For example:
If you encounter any issues during this process, please contact itopia support for assistance.