A deep dive into the zero-trust domain of the PCSE exam. This article organizes BeyondCorp Enterprise (Chrome Enterprise Premium), Identity-Aware Proxy (IAP), Context-Aware Access, Endpoint Verification, and VPC Service Controls into one coherent picture.
The productized version of BeyondCorp, Google's internal zero-trust implementation. Premise: throw out the idea that "inside the network = safe" and decide access based on device, user, and context.
| Supported resource | How to use it |
|---|---|
| App Engine / Cloud Run / GKE | Enable IAP on the HTTPS LB backend |
| Compute Engine VM | Use IAP TCP forwarding for SSH/RDP — no bastion host needed |
| On-premises web apps | Publish via the IAP Connector |
Access Level "trusted-corp" =
device.is_company_owned == true AND
device.os == "ChromeOS" OR (device.os == "Windows" AND device.encryption_status == "ENCRYPTED") AND
origin.region_code IN ("JP", "US") AND
origin.ip IN_RANGE ("203.0.113.0/24")| Pattern | Description |
|---|---|
| Dry-run mode | Logs violations without actually blocking. Essential for validation before going live |
| Bridge perimeter | Used for inter-perimeter communication (deprecated; prefer Ingress/Egress) |
| Restricted VIP | Only allow VPC SC-enforced APIs via restricted.googleapis.com |
| Private Google Access | Reach VPC SC-protected APIs from inside the VPC over a private IP |
What is BeyondCorp Enterprise?
It is the productized version of the internal zero-trust model Google has been running since 2011. No VPN is required: access decisions are made based on device posture, user identity, and context.
What does VPC Service Controls (VPC SC) protect?
It wraps the API layer of managed services like BigQuery, Cloud Storage, and Pub/Sub inside a perimeter to prevent data exfiltration. It provides API-level protection that network ACLs cannot reach.
How is IAP (Identity-Aware Proxy) related to BeyondCorp?
IAP is one of the core components of BeyondCorp. It sits in front of the HTTPS load balancer and performs OAuth authentication plus context evaluation. BeyondCorp Enterprise is the suite of IAP plus extras (Threat / DLP / Endpoint Verification).
What are the main attributes used by Context-Aware Access?
Device type, OS version, encryption status, company-owned vs personal, IP address, geographic location, and time of day. You combine these attributes to define Access Levels.
How many VPC SC perimeters can you create?
Up to 200 per organization (default). Inter-perimeter communication is governed via Ingress and Egress policies. Perimeter Bridge is deprecated; new designs should use Ingress/Egress rules.
Which services cannot be protected by VPC SC?
Application traffic inside Compute Engine VMs is out of scope (use VPC Firewall instead). VPC SC only covers managed API layers.
What is Chrome Enterprise Premium (formerly BeyondCorp Enterprise)?
Rebranded in 2024. It bundles Chrome browser management, zero-trust access, and DLP / Threat Prevention into a single product, absorbing ChromeOS and BeyondCorp Enterprise.
What is the common pattern for implementing zero trust on GCP?
Combine Cloud Identity + Endpoint Verification + IAP + Context-Aware Access + VPC SC to protect the API, Web, and Data layers. Pair it with AD federation and the rollout into existing enterprises is straightforward.
Related articles: PCSE / Security
GCP Professional Cloud Security Engineer (PCSE) 完全ガイド|IAM・KMS・BeyondCorp・SCC
Google Cloud Professional Cloud Security Engineer の試験範囲、IAM / Cloud KMS / VPC Service Controls / BeyondCorp / Security Command Center、AWS SCS・Azure SC-100 比較を詳解。
GCP Professional Cloud Network Engineer (PCNE) 完全ガイド|VPC・Interconnect・Load Balancing
Google Cloud Professional Cloud Network Engineer の試験範囲、VPC / Cloud Interconnect / Cloud Load Balancing / Cloud Armor、AWS ANS・Azure AZ-700 比較を詳解。
GCP PCNE 試験対策|Cloud Interconnect 詳細・HA VPN・Cross-Cloud・NCC 完全ガイド
Google Cloud Professional Cloud Network Engineer (PCNE) のハイブリッド接続を深掘り。Dedicated / Partner Interconnect / HA VPN / Cross-Cloud Interconnect / NCC / Private Service Connect を解説。
GCP VPC 設計パターン完全ガイド|Shared VPC・Peering・Cloud NAT・Cloud Armor
Google Cloud VPC のグローバルアーキテクチャ、Shared VPC、VPC Peering、Hierarchical Firewall、Cloud NAT、Cloud Armor、ロードバランサ 7 種類の使い分け、Flow Logs 活用を解説。
* Google Cloud and BeyondCorp are trademarks of Google LLC. For the latest information, see the official BeyondCorp Enterprise documentation.
Practice with certification-focused question sets
Visit the GCP exam prep pageNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
Google Cloud Certification Roadmap (2026)
Choose your GCP certification path — Foundational, Associate...
CDL Cloud Digital Leader: Complete Exam Guide (2026)
Pass the Cloud Digital Leader exam — cloud business value, G...
GAIL Generative AI Leader: Complete Exam Guide (2026)
Pass the Generative AI Leader exam — Gemini, Vertex AI, Work...
Vertex AI Fundamentals for GCP Certs (2026)
Vertex AI basics every cert candidate needs — Workbench, Pip...
Associate Cloud Engineer (ACE): Complete Guide (2026)
Pass the Associate Cloud Engineer exam — Console, gcloud, pr...