Stay organized with collections Save and categorize content based on your preferences.
Linux
This document describes how to connect to a virtual machine (VM) instance through its internal IP address, using a bastion host VM. Bastion hosts provide an external point of entry into a Virtual Private Cloud (VPC) network that contains VMs that don't have external IP addresses. When using a bastion host, connect to the bastion host first, and then connect to the target VM.
Connecting to a VM using its internal IP address is useful if the VM doesn't have an external IP address. If the VM does have an external IP address, connect to the VM using its external IP address. If you need to connect to a VM that doesn't have external IP addresses and you can't use a bastion host, review the other methods listed in Connection options for internal-only VMs.
Supported operating systemsThese connection methods are supported for all public Linux images that are available on Compute Engine. For Fedora CoreOS images, you must set up SSH access before you can use these methods.
Create a bastion host VMCreate a Compute Engine VM within the private cluster internal network to act as a bastion host that can manage the cluster.
ConsoleCreate a bastion host VM by doing the following:
In the Google Cloud console, go to the Create an instance page.
e2-micro.Expand the Advanced options section, and do the following:
In the Network interfaces section, select the same VPC network and subnet as the target VM.
For External IPv4 address, select Ephemeral.
To create and start the VM, click Create.
Create a bastion host VM using the gcloud compute instances create command:
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
Create the bastion host VM by running the following command:
gcloud compute instances create VM_NAME \ --zone=ZONE \ --machine-type=e2-micro \ --image-family=IMAGE_FAMILY \ --image-project=IMAGE_PROJECT \ --network-interface=subnet=SUBNET,address=""
Replace the following:
VM_NAME: the name of the VM.ZONE: the zone for VM.IMAGE_FAMILY: a Linux image family.IMAGE_PROJECT: the image project containing the image.SUBNET: the same VPC subnet as the target VM. If you use the default VPC, the SUBNET is default.To connect to a VM, complete the steps in one of the following tabs.
gcloud Permissions required for this taskTo perform this task, you must have the following permissions:
roles/iam.serviceAccountUser) on the service account and your user account. For details about how to grant this role on a singular service account, see Allowing a principal to impersonate a single service account.compute.projects.setCommonInstanceMetadata permission on the service account and your user account.You must additionally assign your service account to a VM and set the cloud-platform access scope on the VM.
Connect to a VM using SSH through a bastion host by running the gcloud compute ssh command:
Connect to the bastion host VM by running the following command:
gcloud compute ssh BASTION_NAME
Replace BASTION_NAME with the name of the bastion host VM.
From the bastion host VM, connect to the main VM through it's internal IP address by using the --internal-ip flag:
gcloud compute ssh VM_NAME \
--internal-ip
Replace VM_NAME with the name of the VM that you want to connect to.
Connect to a VM through a bastion host from an OpenSSH client, by doing the following:
In the Google Cloud console, go to the VM Instances page and find the external IP address of the bastion host VM.
Connect to the bastion host VM by running the following command:
ssh -A -i PATH_TO_PRIVATE_KEY USERNAME@EXTERNAL_IP
Replace the following:
PATH_TO_PRIVATE_KEY: the path to the private SSH key file that corresponds to the public key you added to the VM.USERNAME: your username. If you manage your SSH keys in metadata, the username is what you specified when you created the SSH key. For OS Login accounts, the username is defined in your Google profile. For example, cloudysanfrancisco_example_com or cloudysanfrancisco.EXTERNAL_IP: the external IP address of the VM.From the bastion host VM, connect through a VM's internal IP address using the following command:
ssh USERNAME@INTERNAL_IP
Replace the following:
USERNAME: your username. If you manage your SSH keys in metadata, the username is what you specified when you created the SSH key. For OS Login accounts, the username is defined in your Google profile. For example, cloudysanfrancisco_example_com or cloudysanfrancisco.INTERNAL_IP: the internal IP address of the VM.Connect to a VM through a bastion host using PuTTY, by doing the following:
In the Google Cloud console, go to the VM Instances page and find the internal IP address of the VM that you want to connect to.
In the Host Name field, enter the username associated with the SSH key, and the external IP address of the VM that you want to connect to. Use the following format:
USERNAME@EXTERNAL_IP
Replace the following:
USERNAME: your username. If you manage your SSH keys in metadata, the username is what you specified when you created the SSH key. For OS Login accounts, the username is defined in your Google profile. For example, cloudysanfrancisco_example_com or cloudysanfrancisco.EXTERNAL_IP: the external IP address of the VM.From the bastion host VM, connect through a VM's internal IP address using the following command:
ssh USERNAME@INTERNAL_IP
Replace the following:
USERNAME: your username. If you manage your SSH keys in metadata, the username is what you specified when you created the SSH key. For OS Login accounts, the username is defined in your Google profile. For example, cloudysanfrancisco_example_com or cloudysanfrancisco.INTERNAL_IP: the internal IP address of the VM.To find methods for diagnosing and resolving failed SSH connections, see Troubleshooting SSH.
What's nextExcept as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-07 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["This guide explains how to connect to a Linux virtual machine (VM) using its internal IP address via a bastion host, which acts as an entry point to VMs without external IP addresses."],["You can create a bastion host VM within the private cluster's internal network through the Google Cloud console or using the `gcloud compute instances create` command, ensuring it shares the same VPC network and subnet as the target VM."],["Connecting to VMs via a bastion host is achievable using `gcloud compute ssh` commands, OpenSSH clients, or the PuTTY application, each method requiring prior setup of SSH keys and specific permissions."],["The guide provides detailed steps for connecting to the bastion host and subsequently to the internal VM, including commands and necessary replacements for placeholders like VM names, usernames, and IP addresses."],["The document also mentions troubleshooting steps for SSH failures and recommends related documents on managing access, transferring files and SSH connection on the Compute Engine."]]],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4