All posts
October 15, 20251 min read

The port is open, but not to everyone.

An Identity-Aware Proxy (IAP) controls which requests enter your internal systems. It checks identity before allowing network access, often sitting in front of applications, APIs, and private admin tools. When working with an IAP, the internal port is more than a number—it determines where traffic lands inside your infrastructure after identity verification. An Identity-Aware Proxy internal port is the destination port on the protected resource. This is the port the IAP connects to once a reque

Free White Paper

Open Policy Agent (OPA) + End-to-End Encryption: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

An Identity-Aware Proxy (IAP) controls which requests enter your internal systems. It checks identity before allowing network access, often sitting in front of applications, APIs, and private admin tools. When working with an IAP, the internal port is more than a number—it determines where traffic lands inside your infrastructure after identity verification.

An Identity-Aware Proxy internal port is the destination port on the protected resource. This is the port the IAP connects to once a request has passed authentication and authorization. If your backend app listens on port 8080, the IAP must be configured to forward approved traffic to that port. Misalignment here causes failed connections or unintended exposure.

Identity-Aware Proxy internal port settings matter for:

  • Routing requests correctly to backend services.
  • Maintaining separation between public and internal ports.
  • Enforcing zero-trust patterns by isolating service entry points.
  • Supporting multi-tenant or multi-service deployments with distinct internal port mappings.

When the IAP receives a request, it binds to a public endpoint—a URL or IP+port—and checks the identity of the client. After granting access, it forwards the connection to the internal port defined in your configuration. The internal port is not exposed to the public internet; it should only be reachable through the proxy. Secure configurations often use firewall rules to allow traffic to the internal port only from the IAP’s IP range.

Continue reading? Get the full guide.

Open Policy Agent (OPA) + End-to-End Encryption: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Common best practices:

  1. Keep internal ports consistent across environments to avoid deployment drift.
  2. Use non-default port numbers to reduce scanning exposure.
  3. Document port mappings for each service behind the IAP.
  4. Monitor logs for unauthorized attempts targeting the internal port directly.

IAPs from providers like Google Cloud, AWS Verified Access, and custom NGINX setups all have mechanisms to set the internal port. The principle is the same—identity first, then traffic routing. Understanding and locking down this internal port is critical to securing your network from lateral movement and bypass attacks.

Configure your Identity-Aware Proxy internal port with intention. Test forwarding rules. Ensure your authentication stack intercepts every packet before it reaches sensitive processes.

Want to see this in action without the setup overhead? Launch a protected service on hoop.dev and watch identity-aware routing work live in minutes.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts