Blog
How to login to private instances without a bastion host on Google Cloud Platform
Identity-Aware Proxy is a managed service that can control the access to your VM. It allows you to authenticate user TCP traffic through IAP before sending it to your VM instances. And what's more, this also works for private VM's without an external IP address. So no need for VPN or a bastion host!
Cloud IAM is used as an identity provider and integrates seamlessly with IAP. The overview below helps in understanding how these services interact.
Keep in mind, IAP TCP tunneling is intended to be used for administrative services like RDP, SSH or MYSQL's admin interface. If you frequently need to do bulk transfers of data to your VM, IAP is probably not the service you want to use.
Using IAP for SSH-ing into VM's
Enabling IAP tunneling is really easy. The only network change you will need to make is add an ingress firewall rule that targets your VM’s. This firewall rule needs to allow TCP traffic on port 22 (SSH) from IAP's forwarding netblock. An example in terraform can be found below:
resource "google_compute_firewall" "iap_to_ssh" {
name = "ingress-allow-iap-to-ssh"
network = "default"
direction = "INGRESS"
priority = 1000
# Cloud IAP's TCP forwarding netblock
source_ranges = ["35.235.240.0/20"]
target_tags = ["iap-tunnel"]
allow {
protocol = "tcp"
ports = [22]
}
}Access control is enforced by a resource or project wide Cloud IAM policy that can be applied by binding the "IAP-Secured Tunnel User” role to a Google Group or individual user.
After being granted access you should be able to use the "gcloud compute ssh" command with the “tunnel-though-iap” flag to connect to an instance.
gcloud compute ssh my-instance-name
--tunnel-through-iapSome advanced features like local port forwarding are also supported.
gcloud compute ssh my-instance-name
--tunnel-through-iap
--ssh-flag="-N -L 8081:localhost:8081"Conclusion
With IAP it's very easy to secure access to your VM's without any overhead or maintenance.
Written by
Maarten Baijs
Our Ideas
Explore More Blogs
A
- Agent-Oriented Architecture
- Agentic AI Alignment
- Agentic AI for Customer Engagement
- Agentic AI for Decision Support
- Agentic AI for Knowledge Management
- Agentic AI for Predictive Operations
- Agentic AI for Process Optimization
- Agentic AI for Workflow Automation
- Agentic AI Safety
- Agentic AI Strategy
- Agile Development
- Agile Development Methodology
- AI Agents for IT Service Management
- AI for Compliance Monitoring
- AI for Customer Sentiment Analysis
- AI for Demand Forecasting
- AI for Edge Computing (Edge AI)
- AI for Energy Consumption Optimization
- AI for Predictive Analytics
- AI for Predictive Maintenance
- AI for Real Time Risk Monitoring
- AI for Telecom Network Optimization
- AI Governance Frameworks
- AI Implementation Approach
- AI Implementation Methodology
- AI in Cybersecurity
- AI Orchestration
- AI Performance Measurement (KPIs, ROI)
- AI Use-Case Discovery
- AI Use-Case Prioritization
- AI-Driven Business Transformation
- AI-Driven Cybersecurity Solutions
- Algorithm
- API Integration
- API Management
- Application Modernization
- Applied & GenAI
- Artificial Intelligence
- Artificial Neural Network
- Augmented Reality
- Autonomous AI Agents