Using IAP for TCP forwarding

This page explains how you can use Identity-Aware Proxy (IAP) TCP forwarding toenable administrative access to VM instances that do not have external IPaddresses or do not permit direct access over the internet.

IAP TCP forwarding allows you to establish an encrypted tunnelover which you can forward SSH, RDP, and other traffic to VM instances.IAP TCP forwarding also provides you fine-grained control overwhich users are allowed to establish tunnels and which VM instances users areallowed to connect to.

To learn more about how IAP TCP forwarding works, see theTCP forwarding overview.

Preparing your project for IAP TCP forwarding

This section walks you through the necessary steps to enable IAPTCP forwarding in your Google Cloud project.

Note: If you're behind a corporate proxy and aren't using Cloud VPN between youron-premises network and your VPC network, you need to allowlist the IAP for TCPdomain on your corporate network.

Create a firewall rule

To allow IAP to connect to your VM instances, create a firewallrule that:

  • applies to all VM instances that you want to be accessible by using IAP.
  • allows ingress traffic from the IP range35.235.240.0/20. This range contains all IP addresses that IAP uses for TCP forwarding.

    For IPv6 VMs, use the following IP range:2600:2d00:1:7::/64.

  • allows connections to all ports that you want to be accessible by using IAP TCP forwarding, for example, port22 for SSH and port3389 for RDP.

Console

To allow RDP and SSH access to all VM instances in your network, do the following:

  1. Open the Firewall Rules page.

    Open the Firewall Rules page

    The remaining steps appear in the Google Cloud console.

  2. Select a Google Cloud project.
  3. On the Firewall Rules page, clickCreate firewall rule.
  4. Configure the following settings:
    • Name:allow-ingress-from-iap
    • Direction of traffic:Ingress
    • Target:All instances in the network
    • Source filter:IP ranges
    • Source IP ranges:35.235.240.0/20
    • Protocols and ports: SelectTCP and enter3389,22 to allow both RDP and SSH.
  5. ClickCreate.

gcloud

To allow RDP access to all VM instances in your network, run:

gcloud compute firewall-rules create allow-rdp-ingress-from-iap \  --direction=INGRESS \  --action=allow \  --rules=tcp:3389 \  --source-ranges=35.235.240.0/20

For SSH access, run:

gcloud compute firewall-rules create allow-ssh-ingress-from-iap \  --direction=INGRESS \  --action=allow \  --rules=tcp:22 \  --source-ranges=35.235.240.0/20

For other protocols, run

gcloud compute firewall-rules create allow-ingress-from-iap \  --direction=INGRESS \  --action=allow \  --rules=tcp:PORT \  --source-ranges=35.235.240.0/20

wherePORT is the port used by the protocol.

Note: Thedefault-allow-ssh anddefault-allow-rdpdefault rules allow SSH and RDPconnections from all IP addresses, not only from IAP. Consider disabling ordeleting these rules if you want to prevent direct SSH or RDP access to yourVM instances.

Grant roles for IAP TCP forwarding

To control which users and groups are allowed to use IAP TCPforwarding and which VM instances they're allowed to connect to, grant theappropriate Identity and Access Management (IAM) roles on the project.

If you are using OS Login (recommended), seeConfiguring OS Login roles on user accounts.

The following table shows the predefined roles you need to grant totrusted administrators for TCP forwarding and related tasks:

TaskRolesMore information
TCP forwarding IAP-secured Tunnel User (roles/iap.tunnelResourceAccessor) SeeGrant access to all VM instances in a project orGrant access to a specific VM.
SSH access Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1)
Use a service accountService Account User (roles/iam.serviceAccountUser)See The serviceAccountUser role.
Note: If you are working in a project that you created, you have the permissionsyou need to perform these tasks.

If you want to create custom roles with only the specific permissions neededfor this task, seePermissions details.

You can grant a user or group access to all VM instances in a project, or toa specific VM, depending on how you grant the required roles.

Tags are not supported

Granting permission usingtags forIAP TCP forwarding is not currently supported.

Grant access to all VM instances in a project

You can give a user or group access to all VM instances in a project bygranting the required IAM roles at the project level:

Console

  1. Open theIAM & Admin page in the Google Cloud console.

    Open the IAM & Admin page

    The remaining steps appear in the Google Cloud console.

  2. On theIAM & Admin page, clickAdd and configure the following:
    • New principals: Specify the user or group you want to grant access.
    • Select a role: SelectCloud IAP > IAP-Secured Tunnel User.
  3. Optionally, clickAdd condition and configure a condition:
    • Title: Enter a name for the condition.
    • Expression: Enter acondition that a user must meet to gain the permissions in the IAP-Secured Tunnel User role.

    For example, the following CEL expression grants access only to port 22:

    destination.port == 22
  4. ClickAdd another role and configure the following:
    • Select a role SelectCompute Engine > Compute Instance Admin (v1).
  5. ClickSave.

gcloud

Grant the two roles to the user by running the following commands:

gcloudprojectsadd-iam-policy-bindingPROJECT_ID\--member=user:EMAIL\--role=roles/iap.tunnelResourceAccessorgcloudprojectsadd-iam-policy-bindingPROJECT_ID\--member=user:EMAIL\--role=roles/compute.instanceAdmin.v1

Replace the following:

  • PROJECT_ID: ID of the project
  • EMAIL: email address of the user you want to grant access,for exampleuser@example.com.

Grant access to a specific VM

To grant a user or group access to a specific VM, you grant theroles/iap.tunnelResourceAccessor role on that VM. The other roles must begranted on the project.

Console

  1. Open the IAP admin page and select theSSH and TCP Resources tab.

    Open the IAP admin page

    The remaining steps appear in the Google Cloud console.

  2. On theSSH and TCP Resources tab of the IAP admin page, select the VM instances that you want to configure.
  3. ClickShow info panel if the info panel is not visible.

  4. ClickAdd principal and configure the following:

    • New principals: Specify the user or group you want to grant access.
    • Select a role: SelectCloud IAP > IAP-Secured Tunnel User.

  5. Optionally, clickAdd condition and configure a condition:

    • Title: Enter a name for the condition.
    • Expression: Enter acondition that a user must meet to gain the permissions in the IAP-Secured Tunnel User role.

    For example, the following CEL expression grants access only to port 22:

    destination.port == 22

    You can also grant access based on theaccess level:

    destination.port == 22 &&    "FULL_ACCESS_LEVEL_NAME" in request.auth.access_levels

    WhereFULL_ACCESS_LEVEL_NAME is an existingaccess level and uses the following format:

    accessPolicies/POLICY_NAME/accessLevels/ACCESS_LEVEL_NAME

  6. ClickSave.

API

To edit your application'spolicy.json file, follow the process below. SeeManaging access to IAP-secured resources for more information about using the IAM API to manage access policies.

  1. Export the following variables.

    export IAP_BASE_URL=https://iap.googleapis.com/v1/projects/PROJECT_NUMBER/iap_tunnel# Replace POLICY_FILE.JSON with the name of JSON file to use for setIamPolicyexport JSON_NEW_POLICY=POLICY_FILE.JSON

  2. Get the IAM policy for the Compute Engine instance usingthegetIamPolicy method. The empty data bit at the end turns thecurlrequest into POST instead of GET.

    curl -i -H "Authorization: Bearer $(gcloud auth print-access-token)" \     ${IAP_BASE_URL}/zones/ZONE_NAME/instances/INSTANCE_ID or INSTANCE_NAME:getIamPolicy \     -d ''

  3. Grant theiap.tunnelResourceAccessor role to your principals bymodifying the IAM policy JSON file.

  4. Optionally, grant the role only to principals that meet specificcriteria, based onIAMConditions andaccess levels.

    The following is an example of an editedpolicy.json file that grantstheiap.tunnelResourceAccessor role to a group of VM instance admins,giving them access to IAP-secured tunnel resources.An IAM condition has been added to make the resourcesaccessible only to principals in the VM instance admins group with aprivate IP address of10.0.0.1 on port22 using thedestination.ip anddestination.port IAM Conditions.They must also meet the requirements of theACCESS_LEVEL_NAMEaccess level.

    Note that if a principal has theOwner role, they have permission to use IAPfor TCP forwarding.


    Example policy.json file

    {"policy":{"bindings":[{"role":"roles/iap.tunnelResourceAccessor","members":["group:instance-admins@example.com"],"condition":{"expression":"\"accessPolicies/POLICY_NAME/accessLevels/ACCESS_LEVEL_NAME\" in request.auth.access_levels && destination.ip == \"10.0.0.1\" && destination.port == 22","title":"CONDITION_NAME"}}]}}

    Tofind a policy name, callaccessPolicies.list:

    GET https://accesscontextmanager.googleapis.com/v1/accessPolicies

  5. Set your newpolicy.json file using thesetIamPolicy method.

    curl-i-H"Content-Type:application/json"\-H"Authorization: Bearer$(gcloudauthprint-access-token)"\${IAP_BASE_URL}/zones/ZONE_NAME/instances/INSTANCE_IDorINSTANCE_NAME:setIamPolicy\-d@${JSON_NEW_POLICY}

Permissions details

The required permissions vary depending on how a user will use IAP TCP forwarding:

ScenariosPermissions required
All
  • iap.tunnelInstances.accessViaIAP
Usinggcloud compute [start-iap-tunnel, ssh, scp]
  • compute.instances.get
  • compute.instances.list
Usinggcloud compute [ssh, scp]
  • compute.projects.get
VM using OS LoginPlease seethese instructions
Not using OS Login
  • compute.instances.setMetadata
  • compute.projects.setCommonInstanceMetadata
  • compute.globalOperations.get
SSH to VM using a service account
  • iam.serviceAccounts.actAs
SSH from the browserPlease seethese instructions

For example, if a user wants to connect usinggcloud compute ssh to a VM not using OS Login,but that uses a service account, the user would need the following permissions:

  • iap.tunnelInstances.accessViaIAP
  • compute.instances.get
  • compute.instances.list
  • compute.projects.get
  • compute.instances.setMetadata
  • compute.projects.setCommonInstanceMetadata
  • compute.globalOperations.get
  • iam.serviceAccounts.actAs

Tunneling SSH connections

You can connect to Linux instances that don't have an external IP addressby tunneling SSH traffic through IAP.

When you use IAP tunnelling, the IAP proxies connect to the primary internalIPv4 address ofnic0 on the VM.

Console

To connect to your instance, use theSSH button in theGoogle Cloud console.Your instance'saccess configuration(defined through IAM permissions) must allow TCPtunneling through IAP.

gcloud

To connect to your instance, use thegcloud compute ssh command. Yourinstance'saccess configuration(defined through IAM permissions) must allow TCPtunneling through IAP.

gcloud compute sshINSTANCE_NAME

ReplaceINSTANCE_NAME with the name of the instance to SSH into.

If the instance doesn't have an external IP address, the connectionautomatically uses IAP TCP tunneling. If the instance doeshave an external IP address, the connection uses the external IP addressinstead of IAP TCP tunneling.

You can use the--tunnel-through-iapflag so thatgcloud compute ssh always uses IAP TCP tunneling.

Use the--internal-ipflag so thatgcloud compute ssh never uses IAP TCPtunneling and instead directly connects to the internal IP of the VM. Doingso is useful for clients that are connected to the same VPC network as thetarget VM.

Note: Thegcloud tool requires you to specify the instance you want toconnect to. To tunnel usinggcloud, you need to provide the name of theinstance.

IAP Desktop

You can useIAP Desktop to connect to a VM instance by using SSH and IAP TCP forwarding.

  1. In the application, selectFile >Add Google Cloud project.

  2. Enter the ID or name of your project and clickOK.

  3. In theProject Explorer window, right-click the VM instance youwant to connect to and selectConnect.

IAP Desktop

For more information on IAP Desktop, see theGitHub project page.

Note: IAP Desktop is an open-source project and not an officially supported Google product.

PuTTY app

You can set up the PuTTY Windows terminal emulator app so that it usesIAP TCP forwarding to connect to a VM instance. Yourinstance'saccess configuration(defined through IAM permissions) must allow TCP tunneling through IAP.

Before you configure the PuTTY app, use thegcloud compute ssh command onceto ensure that you have a private SSH key on your local computer and thatyour public SSH key is published to Compute Engine:

  1. Open a command prompt and run the following command to connect to theVM instance:

    gcloud compute sshINSTANCE_NAME `  --tunnel-through-iap `  --projectPROJECT_ID `  --zoneZONE

    Replace the following:

    • INSTANCE_NAME: name of the instance to connect to
    • PROJECT_ID: project ID of the project the VM instance is located in
    • ZONE: zone where the VM instance is located

    If necessary, confirm that you want to generate SSH keys by pressingY.

  2. On the VM, determine your username by running the following command:

    whoami

    You need this username later.

You can now configure the PuTTY app to use IAP TCP forwarding:

  1. Open the PuTTY app and select the categoryConnection >Proxy.

  2. Configure the following proxy settings:

    • ForProxy type, selectLocal.

    • In theTelnet command, or local proxy command field, enter the following:

      gcloud.cmd compute start-iap-tunnel %host %port --listen-on-stdin --projectPROJECT_ID --zoneZONE

      Replace the following:

      • PROJECT_ID: Project ID of the project the VM instance is located in
      • ZONE: Zone where the VM instance is located

    • ForPrint proxy diagnostics in the terminal window, selectOnly until session starts.

  3. Select the categoryConnection >SSH >Auth.

  4. ClickBrowse and paste the following file name, then clickOpen:

    %USERPROFILE%\.ssh\google_compute_engine.ppk

  5. Select the categorySession.

  6. Configure the following proxy settings:

    • In theHost name (or IP address) field, enter the following:

      USERNAME@INSTANCE_NAME

      Replace the following:

      • USERNAME: the Linux username you determined earlier
      • INSTANCE_NAME: the name of the VM instance that you want to connect to

    • Saved sessions: Enter a name for the session.

  7. ClickSave.

  8. ClickOpen to start the SSH session.

Note: If the PuTTY app displays a messageproxy: - Invalid Credentials,then your gcloud CLI credentials might have expired. To refresh these credentials, open a command prompt, run a command such asgcloud auth print-identity-token and re-enter your credentials.

ssh

You can directly use the ssh command with aProxyCommand option that usesgcloudto start the tunnel. Use this to generate the fullssh command:

gcloud compute sshINSTANCE_NAME --dry-run

Tunneling RDP connections

You can connect to Windows instances that don't have an external IP addressby tunneling RDP traffic through IAP:

IAP Desktop

You can useIAP Desktop to connect to the Remote Desktop of one or more VM instances by using IAP TCP forwarding.

  1. In the application, selectFile >Add Google Cloud project.

  2. Enter the ID or name of your project and clickOK.

  3. In theProject Explorer window, right-click the VM instance youwant to connect to and selectConnect.

IAP Desktop

For more information on IAP Desktop, see theGitHub project page.

Note: IAP Desktop is an open-source project and not an officially supported Google product.

gcloud

To connect to the Remote Desktop of a VM instance, you first create a tunnel.

  1. Use thegcloud compute start-iap-tunnelcommand to create an encrypted tunnel to the RDP port of the VM instance.

    gcloud compute start-iap-tunnelINSTANCE_NAME 3389 \    --local-host-port=localhost:LOCAL_PORT \    --zone=ZONE

    ReplaceINSTANCE_NAME with the name of the VM instance youwant to connect to. ReplaceLOCAL_PORT with the localhostport where you want the proxy to be bound or use 0 to have an unused oneselected automatically. ReplaceZONE with the zone where theVM instance is located.

  2. gcloud performs a connectivity test with the VM instance, then opens atunnel and shows a port number.

    Listening on port [LOCAL_PORT].

    All traffic sent to localhost:LOCAL_PORT is forwarded to theVM instance. The port is only accessible by applications running on yourlocal computer.

  3. Leavegcloud running and open the Microsoft Windows Remote DesktopConnection app.

  4. Enter the tunnel endpoint as computer name:

    localhost:LOCAL_PORT

    ReplaceLOCAL_PORT with the port number shown when the tunnelwas opened bygcloud.

  5. ClickConnect.

Note: Because you are instructing the client to connect tolocalhostinstead of the VM instance name, you might see a warning indicating that theidentity of the remote computer cannot be verified.

Tunneling other TCP connections

You can use IAP TCP forwarding for other TCP-based protocols byusing thegcloud compute start-iap-tunnelcommand to allocate a local port. The local port tunnels data traffic from thelocal machine to the remote machine in an HTTPS stream. IAPthen receives the data, applies access controls, and forwards the unwrapped datato the remote port. Conversely, any data from the remote port is also wrappedbefore it's sent to the local port where it's then unwrapped.

gcloud

Create an encrypted tunnel to a port of the VM instance:

gcloud compute start-iap-tunnelINSTANCE_NAMEINSTANCE_PORT \    --local-host-port=localhost:LOCAL_PORT \    --zone=ZONE

ReplaceINSTANCE_NAME andINSTANCE_PORT with the nameand port of the VM instance you want to connect to. ReplaceLOCAL_PORT with the localhost port where you want the proxy to bebound. ReplaceZONE with the zone where the VM instance islocated.

gcloud performs a connectivity test with the VM instance, then opens atunnel and shows a port number.

Listening on port [LOCAL_PORT].

All traffic sent to localhost:LOCAL_PORT is forwarded to the VMinstance. The port is only accessible by applications running on your localcomputer.

Increasing the IAP TCP upload bandwidth

To increase the IAP TCP upload bandwidth consider installing NumPy in the same machine where gcloud CLI is installed.

Linux

Note: The leading$ sign in the first command is also part of the commandand not a terminal prompt symbol.

To install NumPy using pip in Unix platforms, run the following command in a new terminal instance:

$(gcloud info --format="value(basic.python_location)") -m pip install numpy
For more information see:NumPy.org

If the error message persists after installing NumPy, complete the following step:Run the following command to allow gcloud to access external packages:

export CLOUDSDK_PYTHON_SITEPACKAGES=1
Note: Theexport command only exports for the current open terminal, to make thischange permanent and across all terminal instances, consider adding theexportcommand to your.bashrc file.

Windows

To install NumPy using pip in Windows platforms, run the following command in a new PowerShell instance:

start (gcloud info --format="value(basic.python_location)") "-m pip install numpy"
For more information see:NumPy.org

If the message still persists after installing NumPy, another step is necessary.Run the following command to allow gcloud to access external packages:

$env:CLOUDSDK_PYTHON_SITEPACKAGES="1"

Known limitations

Bandwidth: IAP's TCP forwarding feature isn't intendedfor bulk transfer of data. IAP reserves the right torate-limit users abusing this service.

Connection length: IAP automatically disconnects sessionsafter one hour of inactivity. Currentlygcloud compute start-iap-tunnel attempts to reestablish the tunnel if it becomes disconnected.

Next steps

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.