1

I have some compute engine instances with external IPs that have firewall rules blocking SSH. These instances also have internal IPs, that have firewall rules whitelisting SSH for the IAP netblock (although the IAP help in the console incorrectly says I need to add a rule due to not enough resource, but I digress).

A related comment seems to indicate that SSH in browser will not use IAP if there's an external IP, but I wasn't sure if there was a workaround.

I can use the Google Cloud SDK to SSH into the instances with gcloud compute ssh <instance> --tunnel-through-iap, however is there a way to force the same via the browser so I can easily log in on the go?

jon_wu
  • 1,113
  • 11
  • 26
  • 1
    No, you can't. But maybe a day... – guillaume blaquiere Oct 07 '19 at 15:35
  • I don't think the selected answer is correct. The referenced document does not say that IAP is used only if the instance uses a private IP address. The document says to use IAP if the instance has a private IP address meaning you can connect. The wording in the document should be rewritten to be clearer. To the best of my knowlege `gcloud compute SSH` uses IAP always. – John Hanley Oct 18 '19 at 23:09
  • 1
    Agreed, the docs should be better. However, there's no evidence of any workaround. `gcloud compute ssh` does not work for me on instances with both a private IP and a firewalled public IP unless I add `--tunnel-through-iap`. – jon_wu Oct 19 '19 at 01:55
  • @JohnHanley maybe the documentation has been improved, because now it says that `gcloud compute SSH` only uses the IAP always if there is no public IP. If there is a public IP, you need to force it to use IAP by using `--tunnel-through-iap`. – ahong May 07 '20 at 05:20
  • @JohnHanley here is the reference: https://cloud.google.com/iap/docs/using-tcp-forwarding#gcloud_1 "If the instance doesn't have a public IP address, the connection automatically uses IAP TCP tunneling. If the instance does have a public IP address, the connection uses the public IP address instead of IAP TCP tunneling." – ahong May 07 '20 at 05:32

1 Answers1

2

The related comment is correct.

The document on ‘Using Cloud IAP for TCP forwarding’ describes that you can only use the SSH button in the GCP Console if the VM is configured to only have an internal IP.

There isn’t a workaround for the scenario you described but you can always check out advanced SSH methods should they work better for you.

Vivak P
  • 110
  • 6