Stay organized with collections Save and categorize content based on your preferences.
This page describes how Identity-Aware Proxy (IAP) handles TCP forwarding. To learn how to grant principals access to tunneled resources and how to create tunnels that route TCP traffic, see Using IAP for TCP forwarding.
IntroductionIAP's TCP forwarding feature lets you control who can access administrative services like SSH and RDP on your backends from the public internet. The TCP forwarding feature prevents these services from being openly exposed to the internet. Instead, requests to your services must pass authentication and authorization checks before they get to their target resource.
Exposing administrative services directly to the internet when running workloads in the cloud introduces risk. Forwarding TCP traffic with IAP allows you to reduce that risk, ensuring only authorized users gain access to these sensitive services.
Since this feature is specifically aimed at administrative services, load-balanced targets aren't supported.
Note: Administrative services, as defined here, are services that are typically used to administer a machine, such as RDP, SSH, and MySQL's admin interface.Calling the IAP TCP forwarding service isn't supported on mobile devices.
How IAP's TCP forwarding worksIAP's TCP forwarding feature allows users to connect to arbitrary TCP ports on Compute Engine instances. For general TCP traffic, IAP creates a listening port on the local host that forwards all traffic to a specified instance. IAP then wraps all traffic from the client in HTTPS. Users gain access to the interface and port if they pass the authentication and authorization check of the target resource's Identity and Access Management (IAM) policy.
A special case, establishing an SSH connection using gcloud compute ssh wraps the SSH connection inside HTTPS and forwards it to the remote instance without the need of a listening port on local host.
Enabling IAP on an admin resource doesn't automatically block direct requests to the resource. IAP only blocks TCP requests that aren't from IAP TCP forwarding IPs to relevant services on the resource.
TCP forwarding with IAP doesn't require a public, routable IP address assigned to your resource. Instead, it uses internal IPs.
What's nextExcept as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-07 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["IAP's TCP forwarding feature controls access to administrative services like SSH and RDP on backends, preventing them from being openly exposed to the internet."],["Only authorized users who pass authentication and authorization checks gain access to sensitive services via IAP's TCP forwarding, reducing the risk of exposing administrative services directly to the internet."],["IAP's TCP forwarding establishes a local listening port that forwards traffic to a specified instance, wrapping all client traffic in HTTPS for general TCP connections."],["IAP's TCP forwarding doesn't require the resource to have a public, routable IP address, instead using internal IPs for forwarding."],["Enabling IAP on an administrative resource does not block all requests, it will only block TCP requests that do not come from an IAP TCP forwarding IP."]]],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4