Overview of TCP forwarding

This page describes how Identity-Aware Proxy (IAP) handles TCP forwarding. To learn how to grant principals access to tunneled resources and how to create tunnels that route TCP traffic, see Using IAP for TCP forwarding.

Introduction

IAP's TCP forwarding feature lets you control who can access administrative services like SSH and RDP on your backends from the public internet. The TCP forwarding feature prevents these services from being openly exposed to the internet. Instead, requests to your services must pass authentication and authorization checks before they get to their target resource.

Exposing administrative services directly to the internet when running workloads in the cloud introduces risk. Forwarding TCP traffic with IAP allows you to reduce that risk, ensuring only authorized users gain access to these sensitive services.

Since this feature is specifically aimed at administrative services, load-balanced targets aren't supported.

Calling the IAP TCP forwarding service isn't supported on mobile devices.

How IAP's TCP forwarding works

IAP's TCP forwarding feature allows users to connect to arbitrary TCP ports on Compute Engine instances. For general TCP traffic, IAP creates a listening port on the local host that forwards all traffic to a specified instance. IAP then wraps all traffic from the client in HTTPS. Users gain access to the interface and port if they pass the authentication and authorization check of the target resource's Identity and Access Management (IAM) policy.

A special case, establishing an SSH connection using gcloud compute ssh wraps the SSH connection inside HTTPS and forwards it to the remote instance without the need of a listening port on local host.

Enabling IAP on an admin resource doesn't automatically block direct requests to the resource. IAP only blocks TCP requests that aren't from IAP TCP forwarding IPs to relevant services on the resource.

TCP forwarding with IAP doesn't require a public, routable IP address assigned to your resource. Instead, it uses internal IPs.

What's next