Overview of TCP forwarding

This page describes how Cloud Identity-Aware Proxy (Cloud IAP) handles TCP forwarding. To learn how to grant members access to tunneled resources and how to create tunnels that route TCP traffic, see Using Cloud IAP for TCP forwarding.


Cloud IAP's TCP forwarding feature lets you control who can access administrative services like SSH and RDP on your backends from the public internet. The TCP forwarding feature prevents these services from being openly exposed to the internet. Instead, requests to your services must pass authentication and authorization checks before they get to their target resource.

Exposing administrative services directly to the internet when running workloads in the cloud introduces risk. Forwarding TCP traffic with Cloud IAP allows you to reduce that risk, ensuring only authorized users gain access to these sensitive services.

Since this feature is specifically aimed at administrative services, load-balanced targets aren't supported.

Calling the Cloud IAP TCP forwarding service isn't supported on mobile devices.

How Cloud IAP's TCP forwarding works

Cloud IAP's TCP forwarding feature allows users to connect to arbitrary TCP ports on Compute Engine instances. For general TCP traffic, Cloud IAP creates a listening port on the local host that forwards all traffic to a specified instance. Cloud IAP then wraps all traffic from the client in HTTPS. Users gain access to the interface and port if they pass the authentication and authorization check of the target resource's Cloud Identity and Access Management (Cloud IAM) policy.

A special case, establishing an SSH connection using gcloud compute ssh wraps the SSH connection inside HTTPS and forwards it to the remote instance without the need of a listening port on local host.

Enabling Cloud IAP on an admin resource doesn't automatically block direct requests to the resource. Cloud IAP only blocks TCP requests that aren't from Cloud IAP TCP forwarding IPs to relevant services on the resource.

TCP forwarding with Cloud IAP doesn't require a public, routable IP address assigned to your resource. Instead, it uses internal IPs.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Identity-Aware Proxy Documentation