GCP – ssh to instances without external IP

How to connect with ssh to Google Cloud Platform VM instances without external IP addresses

Google recently announced that it will start charging fee for external IP addresses attached to VM instances. In addition to that, unless you have a need to expose your instances to the outside directly, it might be best security practice to not attach external IPs to your VMs. Thus from both security and cost perspective, you might not want to attach external IPs to your GCP nodes. But how do you ssh to instances without external IPs?

Luckily GCP provides a service to tunnel to your internal instances with Identity Aware Proxy ( IAP). This means you don’t have to deploy additional ssh jump hosts.

Enable IAP

gcloud services enable

You will need to configure your project’s OAuth consent screen as well –

Configure firewall rules

You might want to tag instances which you want to ssh into with a common tag – say “ssh-node”.

gcloud compute firewall-rules create iap-tunnel-rule \
--allow=tcp:22 --source-ranges= \
--target-tags=ssh-nodes  --network=YOUR_VCP_NETWORK

Grant permissions

gcloud projects add-iam-policy-binding PROJECT_ID \
   --member=user:[email protected] \


SSH to the instance with “–tunnel-through-iap” flag

$ gcloud compute ssh linux --zone=us-east1-c --tunnel-through-iap
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 5.0.0-1028-gcp x86_64)
  System load:  0.0               Processes:           99
  Usage of /:   32.4% of 9.52GB   Users logged in:     0
  Memory usage: 65%               IP address for ens4:
  Swap usage:   0%

$ w
 16:24:07 up 19 min,  1 user,  load average: 0.00, 0.01, 0.02
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
alice   pts/0   16:23    4.00s  0.04s  0.00s w


Note above, the source connecting IP shows as, that is with in the CIDR range of the IAP proxy we allowed in the firewall rule.


Leave a Reply

Your email address will not be published. Required fields are marked *