- NAME
-
- gcloud beta compute start-iap-tunnel - starts an IAP TCP forwarding tunnel
- SYNOPSIS
-
-
gcloud beta compute start-iap-tunnelINSTANCE_NAMEINSTANCE_PORT[--iap-tunnel-disable-connection-check] [--local-host-port=LOCAL_HOST_PORT; default="localhost:0"] [--zone=ZONE] [--network=NETWORK--region=REGION:--dest-group=DEST_GROUP] [GCLOUD_WIDE_FLAG …]
-
- DESCRIPTION
-
(BETA)Starts a tunnel to Cloud Identity-Aware Proxy for TCP forwarding through which another process can create a connection (eg. SSH, RDP) to a Google Compute Engine instance.To learn more, see the IAP for TCP forwarding documentation .
If the
--regionand--networkflags are provided, then an IP address or FQDN must be supplied instead of an instance name. This is most useful for connecting to on-prem resources. - EXAMPLES
- To open a tunnel to the instances's RDP port on an arbitrary local port, run:
gcloud beta compute start-iap-tunnel my-instance 3389To open a tunnel to the instance's RDP port on a specific local port, run:
gcloud beta compute start-iap-tunnel my-instance 3389 --local-host-port = localhost:3333To use the IP address or FQDN of your remote VM (eg, for on-prem), you must also specify the
--regionand--networkflags:gcloud beta compute start-iap-tunnel 10 .1.2.3 3389 --region = us-central1 --network = default - POSITIONAL ARGUMENTS
-
-
INSTANCE_NAME - Name of the instance to operate on. For details on valid instance names, refer to the criteria documented under the field 'name' at: https://cloud.google.com/compute/docs/reference/rest/v1/instances
-
INSTANCE_PORT - The name or number of the instance's port to connect to.
-
- FLAGS
-
-
--iap-tunnel-disable-connection-check - Disables the immediate check of the connection.
-
--local-host-port=LOCAL_HOST_PORT; default="localhost:0" -
LOCAL_HOST:LOCAL_PORTon which gcloud should bind and listen for connections that should be tunneled.LOCAL_PORTmay be omitted, in which case it is treated as 0 and an arbitrary unused local port is chosen. The colon also may be omitted in that case.If
LOCAL_PORTis 0, an arbitrary unused local port is chosen. -
--zone=ZONE - Zone of the instance to operate on. If not specified, you might be prompted to
select a zone (interactive mode only).
gcloudattempts to identify the appropriate zone by searching for resources in your currently active project. If the zone cannot be determined,gcloudprompts you for a selection with all available Google Cloud Platform zones.To avoid prompting when this flag is omitted, the user can set the
compute/zonegcloud config set compute/zone ZONEA list of zones can be fetched by running:
gcloud compute zones listTo unset the property, run:
gcloud config unset compute/zoneAlternatively, the zone can be stored in the environment variable
CLOUDSDK_COMPUTE_ZONE -
--network=NETWORK - Configures the VPC network to use when connecting via IP address or FQDN.
-
--region=REGION - Configures the region to use when connecting via IP address or FQDN.
-
--dest-group=DEST_GROUP - Configures the destination group to use when connecting via IP address or FQDN.
-
- GCLOUD WIDE FLAGS
- These flags are available to all commands:
--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.Run
$ gcloud helpfor details. - NOTES
- This command is currently in beta and might change without notice. These
variants are also available:
gcloud compute start-iap-tunnelgcloud alpha compute start-iap-tunnelgcloud preview compute start-iap-tunnel
gcloud beta compute start-iap-tunnel
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License , and code samples are licensed under the Apache 2.0 License . For details, see the Google Developers Site Policies . Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-05-27 UTC.
