gcloud compute start-iap-tunnel - starts an IAP TCP forwarding tunnel
gcloud compute start-iap-tunnel INSTANCE_NAME INSTANCE_PORT [--iap-tunnel-disable-connection-check] [--local-host-port=LOCAL_HOST_PORT; default="localhost:0"] [--zone=ZONE] [--network=NETWORK --region=REGION : --dest-group=DEST_GROUP] [GCLOUD_WIDE_FLAG ...]
Starts a tunnel to Cloud Identity-Aware Proxy for TCP forwarding through which another process can create a connection (eg. SSH, RDP) to a Google Compute Engine instance.
To learn more, see the IAP for TCP forwarding documentation https://cloud.google.com/iap/docs/tcp-forwarding-overview.
If the --region and --network flags are provided, then an IP address or FQDN must be supplied instead of an instance name. This is most useful for connecting to on-prem resources.
To open a tunnel to the instances's RDP port on an arbitrary local port, run:
$ gcloud compute start-iap-tunnel my-instance 3389
To open a tunnel to the instance's RDP port on a specific local port, run:
$ gcloud compute start-iap-tunnel my-instance 3389 \ --local-host-port=localhost:3333
To use the IP address or FQDN of your remote VM (eg, for on-prem), you must also specify the --region and --network flags:
$ gcloud compute start-iap-tunnel 10.1.2.3 3389 \ --region=us-central1 --network=default
- INSTANCE_NAME
Name of the instance to operate on. For details on valid instance names, refer to the criteria documented under the field 'name' at: https://cloud.google.com/compute/docs/reference/rest/v1/instances
- INSTANCE_PORT
The name or number of the instance's port to connect to.
- --iap-tunnel-disable-connection-check
Disables the immediate check of the connection.
- --local-host-port=LOCAL_HOST_PORT; default="localhost:0"
LOCAL_HOST:LOCAL_PORT on which gcloud should bind and listen for connections that should be tunneled.
LOCAL_PORT may be omitted, in which case it is treated as 0 and an arbitrary unused local port is chosen. The colon also may be omitted in that case.
If LOCAL_PORT is 0, an arbitrary unused local port is chosen.
- --zone=ZONE
Zone of the instance to operate on. If not specified, you might be prompted to select a zone (interactive mode only). gcloud attempts to identify the appropriate zone by searching for resources in your currently active project. If the zone cannot be determined, gcloud prompts you for a selection with all available Google Cloud Platform zones.
To avoid prompting when this flag is omitted, the user can set the compute/zone property:
$ gcloud config set compute/zone ZONE
A list of zones can be fetched by running:
$ gcloud compute zones list
To unset the property, run:
$ gcloud config unset compute/zone
Alternatively, the zone can be stored in the environment variable CLOUDSDK_COMPUTE_ZONE.
- --network=NETWORK
Configures the VPC network to use when connecting via IP address or FQDN.
- --region=REGION
Configures the region to use when connecting via IP address or FQDN.
- --dest-group=DEST_GROUP
Configures the destination group to use when connecting via IP address or FQDN.
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
These variants are also available:
$ gcloud alpha compute start-iap-tunnel
$ gcloud beta compute start-iap-tunnel