SSH in a browser 4003: failed to connect to backend

Problem

When trying to SSH to a Google Compute Engine instance using SSH in a Browser, the user receives the following error:

Connection via Cloud Identity-Aware Proxy Failed

Code: 4003

Reason: failed to connect to backend

Environment

SSH command
Any browser
VM without a public IP address

Solution

Ensure you have a firewall rule to allow Cloud Identity-Aware Proxy (IAP) to connect to port 22 on the instance. Full instructions can be found at https://cloud.google.com/iap/docs/using-tcp-forwarding#create-firewall-rule.

Cause

When an instance does not have a public IP address, SSH in a Browser needs to forward the SSH connection through IAP. The error "failed to connect to backend" indicates that the IAP proxy service was unable to open a TCP connection to the instance.

This is most often due to the VPC firewall not having a rule which allows the proxy to connect to the instance. It could also be due to the OS firewall or other VM network connectivity issue.