Connect to Linux VMs using a bastion host
This document describes how to connect to a virtual machine (VM) instancethrough its internal IP address, using abastion host VM. Bastion hosts providean external point of entry into a Virtual Private Cloud (VPC) network thatcontains VMs that don't have external IP addresses. When using a bastion host,connect to the bastion host first, and then connect to the target VM.
Connecting to a VM using its internal IP address is useful if the VM doesn'thave an external IP address. If the VM does have an external IP address,connect to the VM using its external IP address.If you need to connect to a VM that doesn't have external IP addresses and youcan't use a bastion host, review the other methods listed inConnection options for internal-only VMs.
Supported operating systems
These connection methods are supported for allpublic Linux images that are available onCompute Engine. For Fedora CoreOS images, you mustset up SSH access before you can use these methods.
Create a bastion host VM
Create a Compute Engine VM within the private cluster internal networkto act as a bastion host that can manage the cluster.
Console
Create a bastion host VM by doing the following:
In the Google Cloud console, go to theCreate an instance page.
- Specify the following VM details:
- Name: the name of your VM.
- Machine type: a machine type. Choose a small machine type, suchas
e2-micro. - Boot disk Operating system: any Linux OS.
Expand theAdvanced options section, and do the following:
In theNetwork interfaces section, select the sameVPC network and subnet as the target VM.
ForExternal IPv4 address, selectEphemeral.
To create and start the VM, clickCreate.
gcloud
Create a bastion host VM using thegcloud compute instances create command:
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
Create the bastion host VM by running the following command:
gcloud compute instances createVM_NAME \ --zone=ZONE \ --machine-type=e2-micro \ --image-family=IMAGE_FAMILY \ --image-project=IMAGE_PROJECT \ --network-interface=subnet=SUBNET,address=""
Replace the following:
VM_NAME: the name of the VM.ZONE: the zone for VM.IMAGE_FAMILY: a Linuximage family.IMAGE_PROJECT: theimage projectcontaining the image.SUBNET: the same VPC subnet asthe target VM. If you use the default VPC, theSUBNETisdefault.
Connect to VMs
To connect to a VM, complete the steps in one of the following tabs.
gcloud
To perform this task, you must have the followingpermissions: You must additionallyassign your service account to a VM and set thePermissions required for this task
roles/iam.serviceAccountUser) on the service account and your user account. For details about how to grant this role on a singular service account, seeAllowing a principal to impersonate a single service account.compute.projects.setCommonInstanceMetadata permission on theservice account and your user account.cloud-platform access scopeon the VM.
Connect to a VM using SSH through a bastion host by running thegcloud compute ssh command:
Connect to the bastion host VM by running the following command:
gcloud compute sshBASTION_NAME
Replace
BASTION_NAMEwith the name of the bastion host VM.From the bastion host VM, connect to the main VM through it's internal IP address by using the
--internal-ipflag:gcloud compute sshVM_NAME \ --internal-ip
Replace
VM_NAMEwith the name of the VM that you want to connect to.
OpenSSH clients
Connect to a VM through a bastion host from an OpenSSH client, by doing the following:
- Add an SSH key to the VM if you haven't already.
In the Google Cloud console, go to theVM Instances page and find the external IP address of the bastion host VM.
- Open a terminal on your workstation.
Connect to the bastion host VM by running the following command:
ssh -A -iPATH_TO_PRIVATE_KEYUSERNAME@EXTERNAL_IP
Replace the following:
PATH_TO_PRIVATE_KEY: the path to the private SSH key file that corresponds to the public key you added to the VM.USERNAME: your username. If you manage your SSH keys in metadata, the username is what you specified when youcreated the SSH key. For OS Login accounts, the username isdefined in your Google profile. For example,cloudysanfrancisco_example_comorcloudysanfrancisco.EXTERNAL_IP: the external IP address of the VM.
From the bastion host VM, connect through a VM's internal IP address using the following command:
sshUSERNAME@INTERNAL_IP
Replace the following:
USERNAME: your username. If you manage your SSH keys in metadata, the username is what you specified when youcreated the SSH key. For OS Login accounts, the username isdefined in your Google profile. For example,cloudysanfrancisco_example_comorcloudysanfrancisco.INTERNAL_IP: the internal IP address of the VM.
PuTTY app
Connect to a VM through a bastion host using PuTTY, by doing the following:
- Add an SSH key to the bastion host VM if you haven't already.
- If your workstation doesn't already have the PuTTY app installed,download the PuTTY package files.
In the Google Cloud console, go to theVM Instances page and find the internal IP address of the VM that you want to connect to.
- Open the PuTTY app. A connection configuration window opens.
In the
Host Namefield, enter the username associated with the SSH key, and the external IP address of the VM that you want to connect to. Use the following format:USERNAME@EXTERNAL_IP
Replace the following:
USERNAME: your username. If you manage your SSH keys in metadata, the username is what you specified when youcreated the SSH key. For OS Login accounts, the username isdefined in your Google profile. For example,cloudysanfrancisco_example_comorcloudysanfrancisco.EXTERNAL_IP: the external IP address of the VM.
- In theCategory menu, navigate toConnection > SSH > Auth.
- In thePrivate key file for authentication field, select the private SSH key file that corresponds to the public key you added to the VM.
- In theAuthentication Parameters section, selectAllow agent forwarding.
- ClickOpen to connect to the bastion host VM.
From the bastion host VM, connect through a VM's internal IP address using the following command:
sshUSERNAME@INTERNAL_IP
Replace the following:
USERNAME: your username. If you manage your SSH keys in metadata, the username is what you specified when youcreated the SSH key. For OS Login accounts, the username isdefined in your Google profile. For example,cloudysanfrancisco_example_comorcloudysanfrancisco.INTERNAL_IP: the internal IP address of the VM.
Troubleshooting
To find methods for diagnosing and resolving failed SSH connections, seeTroubleshooting SSH.
What's next
- Learn how tomanage access to VMs.
- Learn how totransfer files to VMs.
- Learn howSSH connections to Linux VMswork on Compute Engine.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.