IAP TCP forwarding lets you establish an encrypted tunnel
over which you can forward SSH connections to VMs. When you connect to a VM
that uses IAP, IAP wraps the SSH connection
inside HTTPS before forwarding the connection to the VM. Then,
IAP checks if you have the
required IAM permissions
and if you do, grants access to the VM.
If you need to connect to a VM that doesn't have external IP addresses and you
can't use IAP, review the other methods listed in
Connection options for internal-only VMs.
If you haven't already, set up authentication.
Authentication verifies your identity for access to Trusted Cloud by S3NS services and APIs. To run
code or samples from a local development environment, you can authenticate to
Compute Engine by selecting one of the following options:
Select the tab for how you plan to use the samples on this page:
Console
When you use the Trusted Cloud console to access Trusted Cloud by S3NS services and
APIs, you don't need to set up authentication.
These connection methods are supported for all
public Linux images that are available on
Compute Engine. For Fedora CoreOS images, you must
set up SSH access
before you can use these methods.
Connect to VMs
To connect to a VM, complete the steps in one of the following tabs.
Permissions required for this task
To perform this task, you must have the following
permissions:
At the bottom of the Trusted Cloud console, a
Cloud Shell
session starts and displays a command-line prompt. Cloud Shell is a shell environment
with the Google Cloud CLI
already installed and with values already set for
your current project. It can take a few seconds for the session to initialize.
Connect to the VM by running the following command:
gcloud compute ssh VM-NAME \
--tunnel-through-iap
Replace VM_NAME with the name of the VM that you want to connect to.
IAP Desktop
To connect to a VM using IAP Desktop, do the following:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eIdentity-Aware Proxy (IAP) TCP forwarding enables secure SSH connections to virtual machines (VMs) via an encrypted tunnel, even if the VM lacks an external IP address.\u003c/p\u003e\n"],["\u003cp\u003eTo use IAP, you must have the correct IAM permissions and create a firewall rule to allow connections, and for VMs without external IPs it will use IAP to connect.\u003c/p\u003e\n"],["\u003cp\u003eConnecting to Linux VMs can be done through the Google Cloud console's SSH-in-Browser feature, the \u003ccode\u003egcloud compute ssh\u003c/code\u003e command with the \u003ccode\u003e--tunnel-through-iap\u003c/code\u003e flag, IAP Desktop, or the PuTTY app.\u003c/p\u003e\n"],["\u003cp\u003eWhen connecting via the Google Cloud console or gcloud CLI, ephemeral or persistent SSH keys, respectively, are automatically created by Compute Engine.\u003c/p\u003e\n"],["\u003cp\u003eThe connection methods are supported for public Linux images available on Compute Engine, but Fedora CoreOS images require prior SSH setup.\u003c/p\u003e\n"]]],[],null,["# Connect to Linux VMs using Identity-Aware Proxy\n\nLinux\n\n*** ** * ** ***\n\nThis document describes how to connect to a virtual machine (VM) instance\nthrough its internal IP address, using\n[Identity-Aware Proxy (IAP) TCP forwarding](/iap/docs/using-tcp-forwarding).\n\nIAP TCP forwarding lets you establish an encrypted tunnel\nover which you can forward SSH connections to VMs. When you connect to a VM\nthat uses IAP, IAP wraps the SSH connection\ninside HTTPS before forwarding the connection to the VM. Then,\nIAP checks if you have the\n[required IAM permissions](/iap/docs/using-tcp-forwarding#grant-permission)\nand if you do, grants access to the VM.\n\nIf you need to connect to a VM that doesn't have external IP addresses and you\ncan't use IAP, review the other methods listed in\n[Connection options for internal-only VMs](/compute/docs/connect/ssh-internal-ip).\n\nBefore you begin\n----------------\n\n- [Create a firewall rule](/iap/docs/using-tcp-forwarding#create-firewall-rule) to enable connections from IAP.\n- If you haven't already, set up [authentication](/compute/docs/authentication). Authentication verifies your identity for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:\n\n Select the tab for how you plan to use the samples on this page: \n\n ### Console\n\n\n When you use the Google Cloud console to access Google Cloud services and\n APIs, you don't need to set up authentication.\n\n ### gcloud\n\n 1.\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n After installation,\n [initialize](/sdk/docs/initializing) the Google Cloud CLI by running the following command:\n\n ```bash\n gcloud init\n ```\n\n\n If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n | **Note:** If you installed the gcloud CLI previously, make sure you have the latest version by running `gcloud components update`.\n 2. [Set a default region and zone](/compute/docs/gcloud-compute#set_default_zone_and_region_in_your_local_client).\n\nSupported operating systems\n---------------------------\n\nThese connection methods are supported for all\n[public Linux images](/compute/docs/images/os-details) that are available on\nCompute Engine. For Fedora CoreOS images, you must\n[set up SSH access](https://docs.fedoraproject.org/en-US/fedora-coreos/tutorial-containers/)\nbefore you can use these methods.\n\nConnect to VMs\n--------------\n\nTo connect to a VM, complete the steps in one of the following tabs.\n\n#### Permissions required for this task\n\nTo perform this task, you must have the following\n[permissions](/iam/docs/overview#permissions):\n\n\n- All permissions included in the [IAP roles](/iap/docs/using-tcp-forwarding#grant-permission).\n\n\u003cbr /\u003e\n\n### Console\n\nTunnel SSH connections through a VM's internal IP address using\nSSH-in-Browser by doing the following:\n| **Note:** SSH-in-Browser only uses IAP if the VM doesn't have an external IP address.\n\n\n1. In the Google Cloud console, go to the **VM instances** page.\n\n [Go to VM instances](https://console.cloud.google.com/compute/instances)\n2. In the list of virtual machine instances, click **SSH** in the row of the instance that you want to connect to.\n\n\u003cbr /\u003e\n\n| **Note:** When you connect to VMs using the Google Cloud console, Compute Engine creates an ephemeral SSH key for you. For more information about SSH keys, see [SSH connections to Linux VMs](/compute/docs/instances/ssh).\n\n### gcloud\n\nTunnel SSH connections through a VM's internal IP address using the\n[`gcloud compute ssh` command](/sdk/gcloud/reference/compute/ssh) with the\n[`--tunnel-through-iap` flag](/sdk/gcloud/reference/compute/ssh#--tunnel-through-iap):\n\n1. In the Google Cloud console, activate Cloud Shell.\n2. [Activate Cloud Shell](https://console.cloud.google.com/?cloudshell=true)\n3. At the bottom of the Google Cloud console, a [Cloud Shell](/shell/docs/how-cloud-shell-works) session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.\n4. Connect to the VM by running the following command:\n\n ```\n gcloud compute ssh VM-NAME \\\n --tunnel-through-iap\n ```\n5. Replace \u003cvar translate=\"no\"\u003eVM_NAME\u003c/var\u003e with the name of the VM that you want to connect to.\n\n| **Note:** When you connect to VMs using the gcloud CLI, Compute Engine creates a persistent SSH key for you. For more information about SSH keys, see [SSH connections to Linux VMs](/compute/docs/instances/ssh).\n\n### IAP Desktop\n\nTo connect to a VM using IAP Desktop, do the following:\n\n1.\n [Install IAP Desktop](https://github.com/GoogleCloudPlatform/iap-desktop/)\n on your workstation if you haven't already.\n\n2.\n Open IAP Desktop. The **Add projects** window opens.\n\n3.\n\n When prompted, sign in using the Google account that has access to the project with the VMs\n you want to connect to.\n\n4.\n In the **Add projects** window, enter the project ID or name of the\n project that contains the VMs you want to connect to.\n\n5.\n In the **Project Explorer** window, right-click the name of the VM\n again and select **Connect** to connect to the VM.\n\n### PuTTY app\n\nTunnel SSH connections through a VM's internal IP address using PuTTY, by doing the following:\n\n1. [Add an SSH key](/compute/docs/connect/add-ssh-keys) to the VM if you haven't already.\n2. If your workstation doesn't already have the PuTTY app installed, [download the PuTTY package files](http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html).\n3. In the Google Cloud console, go to the **VM Instances** page and find the\n\n name\n\n of the VM that you want to connect to.\n\n [Go to VM Instances](https://console.cloud.google.com/compute/instances)\n4. Open the PuTTY app. A connection configuration window opens.\n5. In the `Host Name` field, enter the username associated with the SSH key, and\n the\n\n name\n\n of the VM that you want to connect to. Use the following format:\n\n ```\n USERNAME@VM_NAME\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eUSERNAME\u003c/var\u003e: your username. If you manage your SSH keys in metadata, the username is what you specified when you [created the SSH key](/compute/docs/connect/create-ssh-keys). For OS Login accounts, the username is [defined in your Google profile](/compute/docs/connect/add-ssh-keys#os-login). For example, `cloudysanfrancisco_example_com` or `cloudysanfrancisco`.\n - \u003cvar translate=\"no\"\u003eNAME\u003c/var\u003e: the name of the VM.\n6. In the **Category** menu, navigate to **Connection \\\u003e\n SSH \\\u003e Auth**.\n7. In the **Private key file for authentication** field, select the private SSH key file that corresponds to the public key you added to the VM.\n8. In the **Category** menu, navigate to **Connection \\\u003e Proxy**.\n9. In the **Proxy type** section, select **Local**.\n10. In the **Telnet command, or local proxy command** field, enter the following\n command:\n\n ```\n gcloud.cmd compute start-iap-tunnel VM_NAME PORT_NUMBER --listen-on-stdin --project=PROJECT_ID --zone=ZONE\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eVM_NAME\u003c/var\u003e: the name of the VM that you want to connect to.\n - \u003cvar translate=\"no\"\u003ePORT_NUMBER\u003c/var\u003e: the port that the sshd daemon runs on. The default \u003cvar translate=\"no\"\u003ePORT_NUMBER\u003c/var\u003e is `22`.\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the project that hosts the VM that you want to connect to.\n - \u003cvar translate=\"no\"\u003eZONE\u003c/var\u003e: the zone where the VM is located.\n11. Click **Open** to connect to the VM.\n\nTroubleshooting\n---------------\n\nTo find methods for diagnosing and resolving failed SSH connections, see\n[Troubleshooting SSH](/compute/docs/troubleshooting/troubleshooting-ssh).\n\nWhat's next\n-----------\n\n- Learn how to [manage access to VMs](/compute/docs/instances/access-overview).\n- Learn how to [transfer files to VMs](/compute/docs/instances/transfer-files).\n- Learn how [SSH connections to Linux VMs](/compute/docs/instances/ssh) work on Compute Engine."]]
