gcloud alpha compute start-iap-tunnel

NAME
gcloud alpha compute start-iap-tunnel - starts an IAP TCP forwarding tunnel
SYNOPSIS
gcloud alpha compute start-iap-tunnelINSTANCE_NAMEINSTANCE_PORT[--iap-tunnel-disable-connection-check][--local-host-port=LOCAL_HOST_PORT; default="localhost:0"][--zone=ZONE][--region=REGION : [--network=NETWORK :--dest-group=DEST_GROUP]][GCLOUD_WIDE_FLAG]
DESCRIPTION
(ALPHA) Starts a tunnel to Cloud Identity-Aware Proxy for TCPforwarding through which another process can create a connection (eg. SSH, RDP)to a Google Compute Engine instance.

To learn more, see theIAP for TCPforwarding documentation.

If the--region and--network flags are provided, thenan IP address or FQDN must be supplied instead of an instance name. This is mostuseful for connecting to on-prem resources.

EXAMPLES
To open a tunnel to the instances's RDP port on an arbitrary local port, run:
gcloudalphacomputestart-iap-tunnelmy-instance3389

To open a tunnel to the instance's RDP port on a specific local port, run:

gcloudalphacomputestart-iap-tunnelmy-instance3389--local-host-port=localhost:3333

To use the IP address or FQDN of your remote VM (eg, for on-prem), you must alsospecify the--region and--network flags:

gcloudalphacomputestart-iap-tunnel10.1.2.33389--region=us-central1--network=default
POSITIONAL ARGUMENTS
INSTANCE_NAME
Name of the instance to operate on. For details on valid instance names, referto the criteria documented under the field 'name' at:https://cloud.google.com/compute/docs/reference/rest/v1/instances
INSTANCE_PORT
The name or number of the instance's port to connect to.
FLAGS
--iap-tunnel-disable-connection-check
Disables the immediate check of the connection.
--local-host-port=LOCAL_HOST_PORT; default="localhost:0"
LOCAL_HOST:LOCAL_PORT on which gcloud should bind and listen forconnections that should be tunneled.

LOCAL_PORT may be omitted, in which case it is treated as 0 and anarbitrary unused local port is chosen. The colon also may be omitted in thatcase.

IfLOCAL_PORT is 0, an arbitrary unused local port is chosen.

--zone=ZONE
Zone of the instance to operate on. If not specified, you might be prompted toselect a zone (interactive mode only).gcloud attempts to identify theappropriate zone by searching for resources in your currently active project. Ifthe zone cannot be determined,gcloud prompts you for a selection withall available Google Cloud Platform zones.

To avoid prompting when this flag is omitted, the user can set thecompute/zone property:

gcloudconfigsetcompute/zoneZONE

A list of zones can be fetched by running:

gcloudcomputezoneslist

To unset the property, run:

gcloudconfigunsetcompute/zone

Alternatively, the zone can be stored in the environment variableCLOUDSDK_COMPUTE_ZONE.

--region=REGION
Configures the region to use when connecting via IP address or FQDN.
At most one of these can be specified:
--network=NETWORK
Configures the VPC network to use when connecting via IP address or FQDN.

This flag argument must be specified if any of the other arguments in this groupare specified.

--dest-group=DEST_GROUP
Configures the destination group to use when connecting via IP address or FQDN.
GCLOUD WIDE FLAGS
These flags are available to all commands:--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.

Run$gcloud help for details.

NOTES
This command is currently in alpha and might change without notice. If thiscommand fails with API permission errors despite specifying the correct project,you might be trying to access an API with an invitation-only early accessallowlist. These variants are also available:
gcloudcomputestart-iap-tunnel
gcloudbetacomputestart-iap-tunnel

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-05-07 UTC.