Configure GCP BeyondCorp Security Gateway Applications

The gcp:beyondcorp/securityGatewayApplication:SecurityGatewayApplication resource, part of the Pulumi GCP provider, defines application endpoints protected by a BeyondCorp Security Gateway: hostname matching, upstream routing, and protocol configuration. This guide focuses on four capabilities: endpoint matching with hostnames and ports, VPC network routing with egress policies, API Gateway and Proxy Gateway schemas, and contextual header forwarding.

Security Gateway Applications belong to Security Gateway resources and route traffic to VPC networks or external endpoints. The examples are intentionally small. Combine them with your own Security Gateway infrastructure and upstream services.

Protect external endpoints with hostname matching

Teams protecting public services define which hostnames and ports the Security Gateway intercepts.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const _default = new gcp.beyondcorp.SecurityGateway("default", {
    securityGatewayId: "default-sg",
    displayName: "My Security Gateway resource",
    hubs: [{
        region: "us-central1",
    }],
});
const example = new gcp.beyondcorp.SecurityGatewayApplication("example", {
    securityGatewayId: _default.securityGatewayId,
    applicationId: "google-sga",
    endpointMatchers: [{
        hostname: "google.com",
        ports: [
            80,
            443,
        ],
    }],
});

import pulumi
import pulumi_gcp as gcp

default = gcp.beyondcorp.SecurityGateway("default",
    security_gateway_id="default-sg",
    display_name="My Security Gateway resource",
    hubs=[{
        "region": "us-central1",
    }])
example = gcp.beyondcorp.SecurityGatewayApplication("example",
    security_gateway_id=default.security_gateway_id,
    application_id="google-sga",
    endpoint_matchers=[{
        "hostname": "google.com",
        "ports": [
            80,
            443,
        ],
    }])

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/beyondcorp"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_default, err := beyondcorp.NewSecurityGateway(ctx, "default", &beyondcorp.SecurityGatewayArgs{
			SecurityGatewayId: pulumi.String("default-sg"),
			DisplayName:       pulumi.String("My Security Gateway resource"),
			Hubs: beyondcorp.SecurityGatewayHubArray{
				&beyondcorp.SecurityGatewayHubArgs{
					Region: pulumi.String("us-central1"),
				},
			},
		})
		if err != nil {
			return err
		}
		_, err = beyondcorp.NewSecurityGatewayApplication(ctx, "example", &beyondcorp.SecurityGatewayApplicationArgs{
			SecurityGatewayId: _default.SecurityGatewayId,
			ApplicationId:     pulumi.String("google-sga"),
			EndpointMatchers: beyondcorp.SecurityGatewayApplicationEndpointMatcherArray{
				&beyondcorp.SecurityGatewayApplicationEndpointMatcherArgs{
					Hostname: pulumi.String("google.com"),
					Ports: pulumi.IntArray{
						pulumi.Int(80),
						pulumi.Int(443),
					},
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var @default = new Gcp.Beyondcorp.SecurityGateway("default", new()
    {
        SecurityGatewayId = "default-sg",
        DisplayName = "My Security Gateway resource",
        Hubs = new[]
        {
            new Gcp.Beyondcorp.Inputs.SecurityGatewayHubArgs
            {
                Region = "us-central1",
            },
        },
    });

    var example = new Gcp.Beyondcorp.SecurityGatewayApplication("example", new()
    {
        SecurityGatewayId = @default.SecurityGatewayId,
        ApplicationId = "google-sga",
        EndpointMatchers = new[]
        {
            new Gcp.Beyondcorp.Inputs.SecurityGatewayApplicationEndpointMatcherArgs
            {
                Hostname = "google.com",
                Ports = new[]
                {
                    80,
                    443,
                },
            },
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.beyondcorp.SecurityGateway;
import com.pulumi.gcp.beyondcorp.SecurityGatewayArgs;
import com.pulumi.gcp.beyondcorp.inputs.SecurityGatewayHubArgs;
import com.pulumi.gcp.beyondcorp.SecurityGatewayApplication;
import com.pulumi.gcp.beyondcorp.SecurityGatewayApplicationArgs;
import com.pulumi.gcp.beyondcorp.inputs.SecurityGatewayApplicationEndpointMatcherArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var default_ = new SecurityGateway("default", SecurityGatewayArgs.builder()
            .securityGatewayId("default-sg")
            .displayName("My Security Gateway resource")
            .hubs(SecurityGatewayHubArgs.builder()
                .region("us-central1")
                .build())
            .build());

        var example = new SecurityGatewayApplication("example", SecurityGatewayApplicationArgs.builder()
            .securityGatewayId(default_.securityGatewayId())
            .applicationId("google-sga")
            .endpointMatchers(SecurityGatewayApplicationEndpointMatcherArgs.builder()
                .hostname("google.com")
                .ports(                
                    80,
                    443)
                .build())
            .build());

    }
}

resources:
  default:
    type: gcp:beyondcorp:SecurityGateway
    properties:
      securityGatewayId: default-sg
      displayName: My Security Gateway resource
      hubs:
        - region: us-central1
  example:
    type: gcp:beyondcorp:SecurityGatewayApplication
    properties:
      securityGatewayId: ${default.securityGatewayId}
      applicationId: google-sga
      endpointMatchers:
        - hostname: google.com
          ports:
            - 80
            - 443

When traffic matches the hostname and ports in endpointMatchers, the Security Gateway routes it through BeyondCorp’s zero-trust controls. The securityGatewayId links this application to its parent gateway. Without upstreams configuration, the gateway uses default routing behavior.

Route traffic to VPC resources with egress policies

Applications in private VPCs need upstream configuration to specify network routing and regional egress.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const project = gcp.organizations.getProject({});
const _default = new gcp.beyondcorp.SecurityGateway("default", {
    securityGatewayId: "default-sg",
    displayName: "My Security Gateway resource",
    hubs: [{
        region: "us-central1",
    }],
});
const example = new gcp.beyondcorp.SecurityGatewayApplication("example", {
    securityGatewayId: _default.securityGatewayId,
    applicationId: "my-vm-service2",
    endpointMatchers: [{
        hostname: "my-vm-service.com",
        ports: [
            80,
            443,
        ],
    }],
    upstreams: [{
        egressPolicy: {
            regions: ["us-central1"],
        },
        network: {
            name: project.then(project => `projects/${project.projectId}/global/networks/default`),
        },
    }],
});

import pulumi
import pulumi_gcp as gcp

project = gcp.organizations.get_project()
default = gcp.beyondcorp.SecurityGateway("default",
    security_gateway_id="default-sg",
    display_name="My Security Gateway resource",
    hubs=[{
        "region": "us-central1",
    }])
example = gcp.beyondcorp.SecurityGatewayApplication("example",
    security_gateway_id=default.security_gateway_id,
    application_id="my-vm-service2",
    endpoint_matchers=[{
        "hostname": "my-vm-service.com",
        "ports": [
            80,
            443,
        ],
    }],
    upstreams=[{
        "egress_policy": {
            "regions": ["us-central1"],
        },
        "network": {
            "name": f"projects/{project.project_id}/global/networks/default",
        },
    }])

package main

import (
	"fmt"

	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/beyondcorp"
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		project, err := organizations.LookupProject(ctx, &organizations.LookupProjectArgs{}, nil)
		if err != nil {
			return err
		}
		_default, err := beyondcorp.NewSecurityGateway(ctx, "default", &beyondcorp.SecurityGatewayArgs{
			SecurityGatewayId: pulumi.String("default-sg"),
			DisplayName:       pulumi.String("My Security Gateway resource"),
			Hubs: beyondcorp.SecurityGatewayHubArray{
				&beyondcorp.SecurityGatewayHubArgs{
					Region: pulumi.String("us-central1"),
				},
			},
		})
		if err != nil {
			return err
		}
		_, err = beyondcorp.NewSecurityGatewayApplication(ctx, "example", &beyondcorp.SecurityGatewayApplicationArgs{
			SecurityGatewayId: _default.SecurityGatewayId,
			ApplicationId:     pulumi.String("my-vm-service2"),
			EndpointMatchers: beyondcorp.SecurityGatewayApplicationEndpointMatcherArray{
				&beyondcorp.SecurityGatewayApplicationEndpointMatcherArgs{
					Hostname: pulumi.String("my-vm-service.com"),
					Ports: pulumi.IntArray{
						pulumi.Int(80),
						pulumi.Int(443),
					},
				},
			},
			Upstreams: beyondcorp.SecurityGatewayApplicationUpstreamArray{
				&beyondcorp.SecurityGatewayApplicationUpstreamArgs{
					EgressPolicy: &beyondcorp.SecurityGatewayApplicationUpstreamEgressPolicyArgs{
						Regions: pulumi.StringArray{
							pulumi.String("us-central1"),
						},
					},
					Network: &beyondcorp.SecurityGatewayApplicationUpstreamNetworkArgs{
						Name: pulumi.Sprintf("projects/%v/global/networks/default", project.ProjectId),
					},
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var project = Gcp.Organizations.GetProject.Invoke();

    var @default = new Gcp.Beyondcorp.SecurityGateway("default", new()
    {
        SecurityGatewayId = "default-sg",
        DisplayName = "My Security Gateway resource",
        Hubs = new[]
        {
            new Gcp.Beyondcorp.Inputs.SecurityGatewayHubArgs
            {
                Region = "us-central1",
            },
        },
    });

    var example = new Gcp.Beyondcorp.SecurityGatewayApplication("example", new()
    {
        SecurityGatewayId = @default.SecurityGatewayId,
        ApplicationId = "my-vm-service2",
        EndpointMatchers = new[]
        {
            new Gcp.Beyondcorp.Inputs.SecurityGatewayApplicationEndpointMatcherArgs
            {
                Hostname = "my-vm-service.com",
                Ports = new[]
                {
                    80,
                    443,
                },
            },
        },
        Upstreams = new[]
        {
            new Gcp.Beyondcorp.Inputs.SecurityGatewayApplicationUpstreamArgs
            {
                EgressPolicy = new Gcp.Beyondcorp.Inputs.SecurityGatewayApplicationUpstreamEgressPolicyArgs
                {
                    Regions = new[]
                    {
                        "us-central1",
                    },
                },
                Network = new Gcp.Beyondcorp.Inputs.SecurityGatewayApplicationUpstreamNetworkArgs
                {
                    Name = $"projects/{project.Apply(getProjectResult => getProjectResult.ProjectId)}/global/networks/default",
                },
            },
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetProjectArgs;
import com.pulumi.gcp.beyondcorp.SecurityGateway;
import com.pulumi.gcp.beyondcorp.SecurityGatewayArgs;
import com.pulumi.gcp.beyondcorp.inputs.SecurityGatewayHubArgs;
import com.pulumi.gcp.beyondcorp.SecurityGatewayApplication;
import com.pulumi.gcp.beyondcorp.SecurityGatewayApplicationArgs;
import com.pulumi.gcp.beyondcorp.inputs.SecurityGatewayApplicationEndpointMatcherArgs;
import com.pulumi.gcp.beyondcorp.inputs.SecurityGatewayApplicationUpstreamArgs;
import com.pulumi.gcp.beyondcorp.inputs.SecurityGatewayApplicationUpstreamEgressPolicyArgs;
import com.pulumi.gcp.beyondcorp.inputs.SecurityGatewayApplicationUpstreamNetworkArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var project = OrganizationsFunctions.getProject(GetProjectArgs.builder()
            .build());

        var default_ = new SecurityGateway("default", SecurityGatewayArgs.builder()
            .securityGatewayId("default-sg")
            .displayName("My Security Gateway resource")
            .hubs(SecurityGatewayHubArgs.builder()
                .region("us-central1")
                .build())
            .build());

        var example = new SecurityGatewayApplication("example", SecurityGatewayApplicationArgs.builder()
            .securityGatewayId(default_.securityGatewayId())
            .applicationId("my-vm-service2")
            .endpointMatchers(SecurityGatewayApplicationEndpointMatcherArgs.builder()
                .hostname("my-vm-service.com")
                .ports(                
                    80,
                    443)
                .build())
            .upstreams(SecurityGatewayApplicationUpstreamArgs.builder()
                .egressPolicy(SecurityGatewayApplicationUpstreamEgressPolicyArgs.builder()
                    .regions("us-central1")
                    .build())
                .network(SecurityGatewayApplicationUpstreamNetworkArgs.builder()
                    .name(String.format("projects/%s/global/networks/default", project.projectId()))
                    .build())
                .build())
            .build());

    }
}

resources:
  default:
    type: gcp:beyondcorp:SecurityGateway
    properties:
      securityGatewayId: default-sg
      displayName: My Security Gateway resource
      hubs:
        - region: us-central1
  example:
    type: gcp:beyondcorp:SecurityGatewayApplication
    properties:
      securityGatewayId: ${default.securityGatewayId}
      applicationId: my-vm-service2
      endpointMatchers:
        - hostname: my-vm-service.com
          ports:
            - 80
            - 443
      upstreams:
        - egressPolicy:
            regions:
              - us-central1
          network:
            name: projects/${project.projectId}/global/networks/default
variables:
  project:
    fn::invoke:
      function: gcp:organizations:getProject
      arguments: {}

The upstreams block defines where traffic goes after passing through the gateway. The network property references a VPC by full resource path. The egressPolicy restricts which regions can handle outbound connections, controlling data residency and latency.

Configure API Gateway schema with external endpoints

API-style applications specify external upstream endpoints and use the API_GATEWAY schema for discovery patterns.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const _default = new gcp.beyondcorp.SecurityGateway("default", {
    securityGatewayId: "default-sg-spa-api",
    displayName: "My SPA Security Gateway resource",
});
const example_spa = new gcp.beyondcorp.SecurityGatewayApplication("example-spa", {
    securityGatewayId: _default.securityGatewayId,
    applicationId: "app-discovery",
    upstreams: [{
        external: {
            endpoints: [{
                hostname: "my.discovery.service.com",
                port: 443,
            }],
        },
        proxyProtocol: {
            allowedClientHeaders: ["header"],
        },
    }],
    schema: "API_GATEWAY",
});

import pulumi
import pulumi_gcp as gcp

default = gcp.beyondcorp.SecurityGateway("default",
    security_gateway_id="default-sg-spa-api",
    display_name="My SPA Security Gateway resource")
example_spa = gcp.beyondcorp.SecurityGatewayApplication("example-spa",
    security_gateway_id=default.security_gateway_id,
    application_id="app-discovery",
    upstreams=[{
        "external": {
            "endpoints": [{
                "hostname": "my.discovery.service.com",
                "port": 443,
            }],
        },
        "proxy_protocol": {
            "allowed_client_headers": ["header"],
        },
    }],
    schema="API_GATEWAY")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/beyondcorp"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_default, err := beyondcorp.NewSecurityGateway(ctx, "default", &beyondcorp.SecurityGatewayArgs{
			SecurityGatewayId: pulumi.String("default-sg-spa-api"),
			DisplayName:       pulumi.String("My SPA Security Gateway resource"),
		})
		if err != nil {
			return err
		}
		_, err = beyondcorp.NewSecurityGatewayApplication(ctx, "example-spa", &beyondcorp.SecurityGatewayApplicationArgs{
			SecurityGatewayId: _default.SecurityGatewayId,
			ApplicationId:     pulumi.String("app-discovery"),
			Upstreams: beyondcorp.SecurityGatewayApplicationUpstreamArray{
				&beyondcorp.SecurityGatewayApplicationUpstreamArgs{
					External: &beyondcorp.SecurityGatewayApplicationUpstreamExternalArgs{
						Endpoints: beyondcorp.SecurityGatewayApplicationUpstreamExternalEndpointArray{
							&beyondcorp.SecurityGatewayApplicationUpstreamExternalEndpointArgs{
								Hostname: pulumi.String("my.discovery.service.com"),
								Port:     pulumi.Int(443),
							},
						},
					},
					ProxyProtocol: &beyondcorp.SecurityGatewayApplicationUpstreamProxyProtocolArgs{
						AllowedClientHeaders: pulumi.StringArray{
							pulumi.String("header"),
						},
					},
				},
			},
			Schema: pulumi.String("API_GATEWAY"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var @default = new Gcp.Beyondcorp.SecurityGateway("default", new()
    {
        SecurityGatewayId = "default-sg-spa-api",
        DisplayName = "My SPA Security Gateway resource",
    });

    var example_spa = new Gcp.Beyondcorp.SecurityGatewayApplication("example-spa", new()
    {
        SecurityGatewayId = @default.SecurityGatewayId,
        ApplicationId = "app-discovery",
        Upstreams = new[]
        {
            new Gcp.Beyondcorp.Inputs.SecurityGatewayApplicationUpstreamArgs
            {
                External = new Gcp.Beyondcorp.Inputs.SecurityGatewayApplicationUpstreamExternalArgs
                {
                    Endpoints = new[]
                    {
                        new Gcp.Beyondcorp.Inputs.SecurityGatewayApplicationUpstreamExternalEndpointArgs
                        {
                            Hostname = "my.discovery.service.com",
                            Port = 443,
                        },
                    },
                },
                ProxyProtocol = new Gcp.Beyondcorp.Inputs.SecurityGatewayApplicationUpstreamProxyProtocolArgs
                {
                    AllowedClientHeaders = new[]
                    {
                        "header",
                    },
                },
            },
        },
        Schema = "API_GATEWAY",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.beyondcorp.SecurityGateway;
import com.pulumi.gcp.beyondcorp.SecurityGatewayArgs;
import com.pulumi.gcp.beyondcorp.SecurityGatewayApplication;
import com.pulumi.gcp.beyondcorp.SecurityGatewayApplicationArgs;
import com.pulumi.gcp.beyondcorp.inputs.SecurityGatewayApplicationUpstreamArgs;
import com.pulumi.gcp.beyondcorp.inputs.SecurityGatewayApplicationUpstreamExternalArgs;
import com.pulumi.gcp.beyondcorp.inputs.SecurityGatewayApplicationUpstreamProxyProtocolArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var default_ = new SecurityGateway("default", SecurityGatewayArgs.builder()
            .securityGatewayId("default-sg-spa-api")
            .displayName("My SPA Security Gateway resource")
            .build());

        var example_spa = new SecurityGatewayApplication("example-spa", SecurityGatewayApplicationArgs.builder()
            .securityGatewayId(default_.securityGatewayId())
            .applicationId("app-discovery")
            .upstreams(SecurityGatewayApplicationUpstreamArgs.builder()
                .external(SecurityGatewayApplicationUpstreamExternalArgs.builder()
                    .endpoints(SecurityGatewayApplicationUpstreamExternalEndpointArgs.builder()
                        .hostname("my.discovery.service.com")
                        .port(443)
                        .build())
                    .build())
                .proxyProtocol(SecurityGatewayApplicationUpstreamProxyProtocolArgs.builder()
                    .allowedClientHeaders("header")
                    .build())
                .build())
            .schema("API_GATEWAY")
            .build());

    }
}

resources:
  default:
    type: gcp:beyondcorp:SecurityGateway
    properties:
      securityGatewayId: default-sg-spa-api
      displayName: My SPA Security Gateway resource
  example-spa:
    type: gcp:beyondcorp:SecurityGatewayApplication
    properties:
      securityGatewayId: ${default.securityGatewayId}
      applicationId: app-discovery
      upstreams:
        - external:
            endpoints:
              - hostname: my.discovery.service.com
                port: 443
          proxyProtocol:
            allowedClientHeaders:
              - header
      schema: API_GATEWAY

The schema property set to API_GATEWAY changes how the gateway handles requests. The external block in upstreams points to a specific hostname and port. The proxyProtocol configuration controls which client headers are forwarded to the upstream service.

Forward contextual headers with proxy protocol

Proxy applications pass user identity, device, and group information to upstream services through headers.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const _default = new gcp.beyondcorp.SecurityGateway("default", {
    securityGatewayId: "default-sg-spa-proxy",
    displayName: "My SPA Security Gateway resource",
});
const example_spa = new gcp.beyondcorp.SecurityGatewayApplication("example-spa", {
    securityGatewayId: _default.securityGatewayId,
    applicationId: "app-proxy",
    endpointMatchers: [{
        hostname: "a.site.com",
        ports: [443],
    }],
    upstreams: [{
        external: {
            endpoints: [{
                hostname: "my.proxy.service.com",
                port: 443,
            }],
        },
        proxyProtocol: {
            allowedClientHeaders: [
                "header1",
                "header2",
            ],
            contextualHeaders: {
                userInfo: {
                    outputType: "PROTOBUF",
                },
                groupInfo: {
                    outputType: "JSON",
                },
                deviceInfo: {
                    outputType: "NONE",
                },
                outputType: "JSON",
            },
            metadataHeaders: {
                "metadata-header1": "value1",
                "metadata-header2": "value2",
            },
            gatewayIdentity: "RESOURCE_NAME",
            clientIp: true,
        },
    }],
    schema: "PROXY_GATEWAY",
});

import pulumi
import pulumi_gcp as gcp

default = gcp.beyondcorp.SecurityGateway("default",
    security_gateway_id="default-sg-spa-proxy",
    display_name="My SPA Security Gateway resource")
example_spa = gcp.beyondcorp.SecurityGatewayApplication("example-spa",
    security_gateway_id=default.security_gateway_id,
    application_id="app-proxy",
    endpoint_matchers=[{
        "hostname": "a.site.com",
        "ports": [443],
    }],
    upstreams=[{
        "external": {
            "endpoints": [{
                "hostname": "my.proxy.service.com",
                "port": 443,
            }],
        },
        "proxy_protocol": {
            "allowed_client_headers": [
                "header1",
                "header2",
            ],
            "contextual_headers": {
                "user_info": {
                    "output_type": "PROTOBUF",
                },
                "group_info": {
                    "output_type": "JSON",
                },
                "device_info": {
                    "output_type": "NONE",
                },
                "output_type": "JSON",
            },
            "metadata_headers": {
                "metadata-header1": "value1",
                "metadata-header2": "value2",
            },
            "gateway_identity": "RESOURCE_NAME",
            "client_ip": True,
        },
    }],
    schema="PROXY_GATEWAY")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/beyondcorp"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_default, err := beyondcorp.NewSecurityGateway(ctx, "default", &beyondcorp.SecurityGatewayArgs{
			SecurityGatewayId: pulumi.String("default-sg-spa-proxy"),
			DisplayName:       pulumi.String("My SPA Security Gateway resource"),
		})
		if err != nil {
			return err
		}
		_, err = beyondcorp.NewSecurityGatewayApplication(ctx, "example-spa", &beyondcorp.SecurityGatewayApplicationArgs{
			SecurityGatewayId: _default.SecurityGatewayId,
			ApplicationId:     pulumi.String("app-proxy"),
			EndpointMatchers: beyondcorp.SecurityGatewayApplicationEndpointMatcherArray{
				&beyondcorp.SecurityGatewayApplicationEndpointMatcherArgs{
					Hostname: pulumi.String("a.site.com"),
					Ports: pulumi.IntArray{
						pulumi.Int(443),
					},
				},
			},
			Upstreams: beyondcorp.SecurityGatewayApplicationUpstreamArray{
				&beyondcorp.SecurityGatewayApplicationUpstreamArgs{
					External: &beyondcorp.SecurityGatewayApplicationUpstreamExternalArgs{
						Endpoints: beyondcorp.SecurityGatewayApplicationUpstreamExternalEndpointArray{
							&beyondcorp.SecurityGatewayApplicationUpstreamExternalEndpointArgs{
								Hostname: pulumi.String("my.proxy.service.com"),
								Port:     pulumi.Int(443),
							},
						},
					},
					ProxyProtocol: &beyondcorp.SecurityGatewayApplicationUpstreamProxyProtocolArgs{
						AllowedClientHeaders: pulumi.StringArray{
							pulumi.String("header1"),
							pulumi.String("header2"),
						},
						ContextualHeaders: &beyondcorp.SecurityGatewayApplicationUpstreamProxyProtocolContextualHeadersArgs{
							UserInfo: &beyondcorp.SecurityGatewayApplicationUpstreamProxyProtocolContextualHeadersUserInfoArgs{
								OutputType: pulumi.String("PROTOBUF"),
							},
							GroupInfo: &beyondcorp.SecurityGatewayApplicationUpstreamProxyProtocolContextualHeadersGroupInfoArgs{
								OutputType: pulumi.String("JSON"),
							},
							DeviceInfo: &beyondcorp.SecurityGatewayApplicationUpstreamProxyProtocolContextualHeadersDeviceInfoArgs{
								OutputType: pulumi.String("NONE"),
							},
							OutputType: pulumi.String("JSON"),
						},
						MetadataHeaders: pulumi.StringMap{
							"metadata-header1": pulumi.String("value1"),
							"metadata-header2": pulumi.String("value2"),
						},
						GatewayIdentity: pulumi.String("RESOURCE_NAME"),
						ClientIp:        pulumi.Bool(true),
					},
				},
			},
			Schema: pulumi.String("PROXY_GATEWAY"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var @default = new Gcp.Beyondcorp.SecurityGateway("default", new()
    {
        SecurityGatewayId = "default-sg-spa-proxy",
        DisplayName = "My SPA Security Gateway resource",
    });

    var example_spa = new Gcp.Beyondcorp.SecurityGatewayApplication("example-spa", new()
    {
        SecurityGatewayId = @default.SecurityGatewayId,
        ApplicationId = "app-proxy",
        EndpointMatchers = new[]
        {
            new Gcp.Beyondcorp.Inputs.SecurityGatewayApplicationEndpointMatcherArgs
            {
                Hostname = "a.site.com",
                Ports = new[]
                {
                    443,
                },
            },
        },
        Upstreams = new[]
        {
            new Gcp.Beyondcorp.Inputs.SecurityGatewayApplicationUpstreamArgs
            {
                External = new Gcp.Beyondcorp.Inputs.SecurityGatewayApplicationUpstreamExternalArgs
                {
                    Endpoints = new[]
                    {
                        new Gcp.Beyondcorp.Inputs.SecurityGatewayApplicationUpstreamExternalEndpointArgs
                        {
                            Hostname = "my.proxy.service.com",
                            Port = 443,
                        },
                    },
                },
                ProxyProtocol = new Gcp.Beyondcorp.Inputs.SecurityGatewayApplicationUpstreamProxyProtocolArgs
                {
                    AllowedClientHeaders = new[]
                    {
                        "header1",
                        "header2",
                    },
                    ContextualHeaders = new Gcp.Beyondcorp.Inputs.SecurityGatewayApplicationUpstreamProxyProtocolContextualHeadersArgs
                    {
                        UserInfo = new Gcp.Beyondcorp.Inputs.SecurityGatewayApplicationUpstreamProxyProtocolContextualHeadersUserInfoArgs
                        {
                            OutputType = "PROTOBUF",
                        },
                        GroupInfo = new Gcp.Beyondcorp.Inputs.SecurityGatewayApplicationUpstreamProxyProtocolContextualHeadersGroupInfoArgs
                        {
                            OutputType = "JSON",
                        },
                        DeviceInfo = new Gcp.Beyondcorp.Inputs.SecurityGatewayApplicationUpstreamProxyProtocolContextualHeadersDeviceInfoArgs
                        {
                            OutputType = "NONE",
                        },
                        OutputType = "JSON",
                    },
                    MetadataHeaders = 
                    {
                        { "metadata-header1", "value1" },
                        { "metadata-header2", "value2" },
                    },
                    GatewayIdentity = "RESOURCE_NAME",
                    ClientIp = true,
                },
            },
        },
        Schema = "PROXY_GATEWAY",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.beyondcorp.SecurityGateway;
import com.pulumi.gcp.beyondcorp.SecurityGatewayArgs;
import com.pulumi.gcp.beyondcorp.SecurityGatewayApplication;
import com.pulumi.gcp.beyondcorp.SecurityGatewayApplicationArgs;
import com.pulumi.gcp.beyondcorp.inputs.SecurityGatewayApplicationEndpointMatcherArgs;
import com.pulumi.gcp.beyondcorp.inputs.SecurityGatewayApplicationUpstreamArgs;
import com.pulumi.gcp.beyondcorp.inputs.SecurityGatewayApplicationUpstreamExternalArgs;
import com.pulumi.gcp.beyondcorp.inputs.SecurityGatewayApplicationUpstreamProxyProtocolArgs;
import com.pulumi.gcp.beyondcorp.inputs.SecurityGatewayApplicationUpstreamProxyProtocolContextualHeadersArgs;
import com.pulumi.gcp.beyondcorp.inputs.SecurityGatewayApplicationUpstreamProxyProtocolContextualHeadersUserInfoArgs;
import com.pulumi.gcp.beyondcorp.inputs.SecurityGatewayApplicationUpstreamProxyProtocolContextualHeadersGroupInfoArgs;
import com.pulumi.gcp.beyondcorp.inputs.SecurityGatewayApplicationUpstreamProxyProtocolContextualHeadersDeviceInfoArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var default_ = new SecurityGateway("default", SecurityGatewayArgs.builder()
            .securityGatewayId("default-sg-spa-proxy")
            .displayName("My SPA Security Gateway resource")
            .build());

        var example_spa = new SecurityGatewayApplication("example-spa", SecurityGatewayApplicationArgs.builder()
            .securityGatewayId(default_.securityGatewayId())
            .applicationId("app-proxy")
            .endpointMatchers(SecurityGatewayApplicationEndpointMatcherArgs.builder()
                .hostname("a.site.com")
                .ports(443)
                .build())
            .upstreams(SecurityGatewayApplicationUpstreamArgs.builder()
                .external(SecurityGatewayApplicationUpstreamExternalArgs.builder()
                    .endpoints(SecurityGatewayApplicationUpstreamExternalEndpointArgs.builder()
                        .hostname("my.proxy.service.com")
                        .port(443)
                        .build())
                    .build())
                .proxyProtocol(SecurityGatewayApplicationUpstreamProxyProtocolArgs.builder()
                    .allowedClientHeaders(                    
                        "header1",
                        "header2")
                    .contextualHeaders(SecurityGatewayApplicationUpstreamProxyProtocolContextualHeadersArgs.builder()
                        .userInfo(SecurityGatewayApplicationUpstreamProxyProtocolContextualHeadersUserInfoArgs.builder()
                            .outputType("PROTOBUF")
                            .build())
                        .groupInfo(SecurityGatewayApplicationUpstreamProxyProtocolContextualHeadersGroupInfoArgs.builder()
                            .outputType("JSON")
                            .build())
                        .deviceInfo(SecurityGatewayApplicationUpstreamProxyProtocolContextualHeadersDeviceInfoArgs.builder()
                            .outputType("NONE")
                            .build())
                        .outputType("JSON")
                        .build())
                    .metadataHeaders(Map.ofEntries(
                        Map.entry("metadata-header1", "value1"),
                        Map.entry("metadata-header2", "value2")
                    ))
                    .gatewayIdentity("RESOURCE_NAME")
                    .clientIp(true)
                    .build())
                .build())
            .schema("PROXY_GATEWAY")
            .build());

    }
}

resources:
  default:
    type: gcp:beyondcorp:SecurityGateway
    properties:
      securityGatewayId: default-sg-spa-proxy
      displayName: My SPA Security Gateway resource
  example-spa:
    type: gcp:beyondcorp:SecurityGatewayApplication
    properties:
      securityGatewayId: ${default.securityGatewayId}
      applicationId: app-proxy
      endpointMatchers:
        - hostname: a.site.com
          ports:
            - 443
      upstreams:
        - external:
            endpoints:
              - hostname: my.proxy.service.com
                port: 443
          proxyProtocol:
            allowedClientHeaders:
              - header1
              - header2
            contextualHeaders:
              userInfo:
                outputType: PROTOBUF
              groupInfo:
                outputType: JSON
              deviceInfo:
                outputType: NONE
              outputType: JSON
            metadataHeaders:
              metadata-header1: value1
              metadata-header2: value2
            gatewayIdentity: RESOURCE_NAME
            clientIp: true
      schema: PROXY_GATEWAY

The contextualHeaders block serializes BeyondCorp context into headers. Each info type (userInfo, groupInfo, deviceInfo) can output as JSON, PROTOBUF, or NONE. The metadataHeaders add custom key-value pairs. Setting clientIp to true forwards the original client IP address. This extends the API Gateway pattern by adding comprehensive header forwarding for identity-aware proxying.

Beyond these examples

These snippets focus on specific Security Gateway Application features: endpoint matching and routing, VPC network integration with egress policies, API Gateway and Proxy Gateway schemas, and contextual header forwarding. They’re intentionally minimal rather than full zero-trust deployments.

The examples reference pre-existing infrastructure such as BeyondCorp Security Gateway resources, VPC networks (for VPC routing examples), and external services at specified hostnames. They focus on configuring the application endpoint rather than provisioning the surrounding infrastructure.

To keep things focused, common application patterns are omitted, including:

Display names and resource descriptions (displayName)
Multiple upstream configurations
Complex endpoint matcher combinations
TLS and certificate configuration

These omissions are intentional: the goal is to illustrate how each Security Gateway Application feature is wired, not provide drop-in zero-trust modules. See the BeyondCorp Security Gateway Application resource reference for all available configuration options.

Let's configure GCP BeyondCorp Security Gateway Applications

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Configuration & Setup

What properties are immutable after creation?

The applicationId, securityGatewayId, and project properties cannot be changed after resource creation. Plan these values carefully, as modifications require recreating the resource.

What are the naming requirements for applicationId?

The applicationId must start with a letter, contain 4-63 characters from /a-z-/, and end with a number or letter.

What's required to create a Security Gateway Application?

You need applicationId, securityGatewayId, and project (all immutable), plus endpointMatchers to define which traffic to protect.

Endpoint Matching

How do endpoint matchers work with multiple conditions?

Endpoint matchers use OR logic—the rule matches if any condition is met. You can specify hostname only or combine hostname with ports, like ("abc.com" and "22,33").

Can I use wildcards in hostname matching?

Yes, wildcards are supported in hostnames. For example, *.abc.com matches all subdomains of abc.com.

Application Types & Schemas

What's the difference between PROXY_GATEWAY and API_GATEWAY schemas?

PROXY_GATEWAY is used for proxying traffic with endpoint matchers and supports extensive proxy protocol configuration. API_GATEWAY is for API discovery services without endpoint matchers.

When should I configure the schema property?

Set schema to PROXY_GATEWAY for proxy services with endpoint matching, or API_GATEWAY for API discovery services. If omitted, the default behavior applies.

Upstream Configuration

What's the difference between VPC and external upstreams?

VPC upstreams use network and egressPolicy to route traffic to internal resources within your VPC. External upstreams use endpoints to route traffic to external services outside your network.

When should I use proxyProtocol configuration?

Use proxyProtocol with PROXY_GATEWAY schema to forward contextual headers (user/group/device info), metadata headers, gateway identity, and client IP information to upstream services.

Using a different cloud?

Explore security guides for other cloud providers:

AWS Guides Azure Guides