IAP TCP forwarding allows you to establish an encrypted tunnel over which you can forward SSH, RDP, and other traffic to VM instances. IAP TCP forwarding also provides you fine-grained control over which users are allowed to establish tunnels and which VM instances users are allowed to connect to.
1. Ensure that the IP range 35.235.240.0/20 is added as a source in your firewall rules for TCP port 22.
To allow RDP and SSH access to all VM instances in your network, do the following:
- Open the Firewall Rules page.
- Select a Google Cloud project.
- On the Firewall Rules page, click Create firewall rule.
- Configure the following settings:
- Click Create.
Name: allow-ingress-from-iap
Direction of traffic: Ingress
Target: All instances in the network
Source filter: IP ranges
Source IP ranges: 35.235.240.0/20
Protocols and ports: Select TCP and enter 22,3389 to allow both RDP and SSH.
2. Verify that the necessary IAM roles are assigned to the user who needs SSH access to the machine.
| Task | Roles | More information |
| TCP forwarding | IAP-secured Tunnel User (roles/iap.tunnelResourceAccessor) | See Grant access to all VM instances in a projector Grant access to a specific VM. |
| SSH access | Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1) | |
| Use a service account | Service Account User (roles/iam.serviceAccountUser) | See The serviceAccountUser role. |
3. Confirm that your VM is configured to allow SSH on port 22:
Go to your VM instance and click it
Edit mode
Find for Management section
Look for Automation section
Inside the text box, type "ufw allow 22"
Save
Stop VM instance
Start VM instance
Connect again
Support On Demand!
