search
News – Google Cloud and Anthropic Launch Claude Apps Gateway for Secure Enterprise AI Deployment

Google Cloud and Anthropic Launch Claude Apps Gateway for Secure Enterprise AI Deployment

Google Cloud and Anthropic have released the Claude apps gateway, a self-hosted service that sits between local Claude Code clients and Google Cloud. It gives IT teams a single point to control identity, policy, cost, and routing for developers using Claude Code across an organization.

Why a Gateway, Not Just Per-Developer Credentials

Pointing a single Claude Code instance at Google Cloud is simple: set CLAUDE_CODE_USE_VERTEX=1, grant roles/aiplatform.user, and inference stays inside the GCP perimeter. Rolling that out across an entire engineering org is a different story. Now you’re managing per-developer cloud credentials, pushing managed-settings.json through MDM by hand, and flying blind on usage attribution and spend caps.

The gateway is built to close that gap. It runs as a stateless container on Cloud Run and adds:

  • Identity control: logins route through Google Workspace or any OIDC provider, swapping the token for a short-lived session so no API keys or service-account credentials ever sit on a developer’s laptop.
  • Server-side policy: RBAC rules live once in gateway.yaml and are re-checked on every /v1/messages call, so a local config edit changes nothing.
  • Attributed telemetry: usage metrics carry the verified email and group from a signed session token, shipped over OTLP to whatever monitoring stack a team already runs.
  • Spend limits: daily, weekly, or monthly caps per user, group, or org, enforced against a Cloud SQL ledger with a 429 response once a cap is hit.
  • Managed routing: all calls go out under one Cloud Run service identity, with failover between upstreams on 5xx, 429, or timeout.

The full setup: from provisioning the GCP foundation and writing gateway.yaml to deploying on Cloud Run or GKE, is documented in the Claude apps gateway config reference.

“The problem was never whether inference stayed inside the GCP perimeter: it was that nobody could say which developer triggered which call, or stop one runaway session from blowing through the budget. Putting identity, policy, and spend limits behind a single Cloud Run service is the kind of control enterprise security teams actually ask us for.”
Maksym Shapoval Director of Security Architecture, Cloudfresh

How Cloudfresh Helps

As a Google Cloud Premier Partner, Cloudfresh helps engineering and security teams provision, configure, and roll out services like the Claude apps gateway on their own GCP infrastructure: from IdP integration to RBAC policy design and ongoing cost governance.

Want help planning your Claude Code rollout on Google Cloud? Let's talk →
Sign up to cloud newsletter