TCP forwarding overview
This page describes how Identity-Aware Proxy (IAP) handles TCPforwarding. To learn how to grant principals access to tunneled resources and howto create tunnels that route TCP traffic, seeUsing IAP for TCP forwarding.
Introduction
IAP's TCP forwarding feature lets you control whocan access administrative services like SSH and RDP on your backends from thepublic internet. The TCP forwarding feature prevents these services from beingopenly exposed to the internet. Instead, requests to your services must passauthentication and authorization checks before reaching their targetresource.
Exposing administrative services directly to the internet when running workloadsin the cloud introduces risk. Forwarding TCP traffic with IAPlets you reduce that risk by allowing only authorized users to accessthese sensitive services.
Because this feature is specifically aimed at administrative services,it doesn't support load-balanced targets.
Note: Administrative services, as defined here, are services that are typicallyused to administer a machine, such as RDP, SSH, and MySQL's admin interface.Calling the IAP TCP forwarding service isn't supported onmobile devices.
How IAP's TCP forwarding works
IAP's TCP forwarding feature lets users connect toarbitrary TCP ports on Compute Engine instances. For general TCP traffic,IAP creates a listening port on the local host that forwardsall traffic to a specified instance. IAP then wraps alltraffic from the client in HTTPS. Users can access the interface and port ifthey pass the authentication and authorization checks of the target resource'sIdentity and Access Management (IAM) policy.
When you establish an SSH connection usinggcloud compute ssh,the command wraps the SSH connection inside HTTPS and forwards it to the remote instancewithout requiring a listening port on the local host.
Enabling IAP on an administrative resource doesn't automatically blockdirect requests to the resource. IAP only blocks TCP requeststhat aren't from IAP TCP forwarding IPs to relevant serviceson the resource.
TCP forwarding with IAP doesn't require apublic, routable IP address assigned to your resource. Instead, it uses internalIPs.
What's next
- Learn how to connect toTCP ports on instancesand grant principals access to tunneled resources.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.