How to login to private instances without a bastion host on Google Cloud Platform

feb 18, 2020

Identity-Aware Proxy is a managed service that can control the access to your VM. It allows you to authenticate user TCP traffic through IAP before sending it to your VM instances. And what’s more, this also works for private VM’s without an external IP address. So no need for VPN or a bastion host!

Cloud IAM is used as an identity provider and integrates seamlessly with IAP. The overview below helps in understanding how these services interact.

Keep in mind, IAP TCP tunneling is intended to be used for administrative services like RDP, SSH or MYSQL’s admin interface. If you frequently need to do bulk transfers of data to your VM, IAP is probably not the service you want to use.

Using IAP for SSH-ing into VM’s

Enabling IAP tunneling is really easy. The only network change you will need to make is add an ingress firewall rule that targets your VM’s. This firewall rule needs to allow TCP traffic on port 22 (SSH) from IAP’s forwarding netblock. An example in terraform can be found below:

resource "google_compute_firewall" "iap_to_ssh" {
  name    = "ingress-allow-iap-to-ssh"
  network = "default"

  direction = "INGRESS"
  priority  = 1000

  # Cloud IAP's TCP forwarding netblock
  source_ranges = [""]
  target_tags   = ["iap-tunnel"]

  allow {
    protocol = "tcp"
    ports    = [22]

Access control is enforced by a resource or project wide Cloud IAM policy that can be applied by binding the "IAP-Secured Tunnel User” role to a Google Group or individual user.

After being granted access you should be able to use the "gcloud compute ssh" command with the “tunnel-though-iap” flag to connect to an instance.

gcloud compute ssh my-instance-name \

Some advanced features like local port forwarding are also supported.

gcloud compute ssh my-instance-name \
--tunnel-through-iap \
--ssh-flag="-N -L 8081:localhost:8081"


With IAP it’s very easy to secure access to your VM’s without any overhead or maintenance.

Share this article: Tweet this post / Post on LinkedIn