- NAME
-
- gcloud beta compute start-iap-tunnel - starts an IAP TCP forwarding tunnel
- SYNOPSIS
-
-
gcloud beta compute start-iap-tunnelINSTANCE_NAMEINSTANCE_PORT[--iap-tunnel-disable-connection-check] [--local-host-port=LOCAL_HOST_PORT; default="localhost:0"] [--zone=ZONE] [--network=NETWORK--region=REGION:--dest-group=DEST_GROUP] [GCLOUD_WIDE_FLAG …]
-
- DESCRIPTION
-
(BETA)Starts a tunnel to Cloud Identity-Aware Proxy for TCP forwarding through which another process can create a connection (eg. SSH, RDP) to a Google Compute Engine instance.To learn more, see the IAP for TCP forwarding documentation.
If the
--regionand--networkflags are provided, then an IP address or FQDN must be supplied instead of an instance name. This is most useful for connecting to on-prem resources. - EXAMPLES
-
To open a tunnel to the instances's RDP port on an arbitrary local port, run:
gcloud beta compute start-iap-tunnel my-instance 3389To open a tunnel to the instance's RDP port on a specific local port, run:
gcloud beta compute start-iap-tunnel my-instance 3389 --local-host-port=localhost:3333To use the IP address or FQDN of your remote VM (eg, for on-prem), you must also specify the
--regionand--networkflags:gcloud beta compute start-iap-tunnel 10.1.2.3 3389 --region=us-central1 --network=default - POSITIONAL ARGUMENTS
-
INSTANCE_NAME- Name of the instance to operate on. For details on valid instance names, refer to the criteria documented under the field 'name' at: https://cloud.google.com/compute/docs/reference/rest/v1/instances
INSTANCE_PORT- The name or number of the instance's port to connect to.
- FLAGS
-
--iap-tunnel-disable-connection-check- Disables the immediate check of the connection.
--local-host-port=LOCAL_HOST_PORT; default="localhost:0"-
LOCAL_HOST:LOCAL_PORTon which gcloud should bind and listen for connections that should be tunneled.LOCAL_PORTmay be omitted, in which case it is treated as 0 and an arbitrary unused local port is chosen. The colon also may be omitted in that case.If
LOCAL_PORTis 0, an arbitrary unused local port is chosen. --zone=ZONE-
Zone of the instance to operate on. If not specified, you might be prompted to
select a zone (interactive mode only).
gcloudattempts to identify the appropriate zone by searching for resources in your currently active project. If the zone cannot be determined,gcloudprompts you for a selection with all available Google Cloud Platform zones.To avoid prompting when this flag is omitted, the user can set the
compute/zonegcloud config set compute/zone ZONEA list of zones can be fetched by running:
gcloud compute zones listTo unset the property, run:
gcloud config unset compute/zoneAlternatively, the zone can be stored in the environment variable
CLOUDSDK_COMPUTE_ZONE --network=NETWORK- Configures the VPC network to use when connecting via IP address or FQDN.
--region=REGION- Configures the region to use when connecting via IP address or FQDN.
--dest-group=DEST_GROUP- Configures the destination group to use when connecting via IP address or FQDN.
- GCLOUD WIDE FLAGS
-
These flags are available to all commands:
--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.Run
$ gcloud helpfor details. - NOTES
-
This command is currently in beta and might change without notice. These
variants are also available:
gcloud compute start-iap-tunnelgcloud alpha compute start-iap-tunnel
gcloud beta compute start-iap-tunnel
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-05-07 UTC.