gcloud alpha compute start-iap-tunnel

NAME: gcloud alpha compute start-iap-tunnel - starts an IAP TCP forwarding tunnel
SYNOPSIS: gcloud alpha compute start-iap-tunnel INSTANCE_NAME INSTANCE_PORT [--iap-tunnel-disable-connection-check] [--local-host-port=LOCAL_HOST_PORT; default="localhost:0"] [--zone=ZONE] [--region=REGION : [--network=NETWORK : --dest-group=DEST_GROUP]] [GCLOUD_WIDE_FLAG …]
DESCRIPTION: (ALPHA) Starts a tunnel to Cloud Identity-Aware Proxy for TCP forwarding through which another process can create a connection (eg. SSH, RDP) to a Google Compute Engine instance.
To learn more, see the IAP for TCP forwarding documentation.
If the --region and --network flags are provided, then an IP address or FQDN must be supplied instead of an instance name. This is most useful for connecting to on-prem resources.
EXAMPLES: To open a tunnel to the instances's RDP port on an arbitrary local port, run:
gcloud alpha compute start-iap-tunnel my-instance 3389

To open a tunnel to the instance's RDP port on a specific local port, run:
gcloud alpha compute start-iap-tunnel my-instance 3389 --local-host-port=localhost:3333

To use the IP address or FQDN of your remote VM (eg, for on-prem), you must also specify the --region and --network flags:
gcloud alpha compute start-iap-tunnel 10.1.2.3 3389 --region=us-central1 --network=default
POSITIONAL ARGUMENTS: INSTANCE_NAME

Name of the instance to operate on. For details on valid instance names, refer to the criteria documented under the field 'name' at: https://cloud.google.com/compute/docs/reference/rest/v1/instances

INSTANCE_PORT

The name or number of the instance's port to connect to.
FLAGS: --iap-tunnel-disable-connection-check

Disables the immediate check of the connection.

--local-host-port=LOCAL_HOST_PORT; default="localhost:0"

LOCAL_HOST:LOCAL_PORT on which gcloud should bind and listen for connections that should be tunneled.
LOCAL_PORT may be omitted, in which case it is treated as 0 and an arbitrary unused local port is chosen. The colon also may be omitted in that case.
If LOCAL_PORT is 0, an arbitrary unused local port is chosen.

--zone=ZONE

Zone of the instance to operate on. If not specified, you might be prompted to select a zone (interactive mode only). gcloud attempts to identify the appropriate zone by searching for resources in your currently active project. If the zone cannot be determined, gcloud prompts you for a selection with all available Google Cloud Platform zones.
To avoid prompting when this flag is omitted, the user can set the compute/zone property:
gcloud config set compute/zone ZONE

A list of zones can be fetched by running:
gcloud compute zones list

To unset the property, run:
gcloud config unset compute/zone

Alternatively, the zone can be stored in the environment variable CLOUDSDK_COMPUTE_ZONE.

--region=REGION

Configures the region to use when connecting via IP address or FQDN.

At most one of these can be specified:

--network=NETWORK

Configures the VPC network to use when connecting via IP address or FQDN.
This flag argument must be specified if any of the other arguments in this group are specified.

--dest-group=DEST_GROUP

Configures the destination group to use when connecting via IP address or FQDN.
GCLOUD WIDE FLAGS: These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
NOTES: This command is currently in alpha and might change without notice. If this command fails with API permission errors despite specifying the correct project, you might be trying to access an API with an invitation-only early access allowlist. These variants are also available:
gcloud compute start-iap-tunnel

gcloud beta compute start-iap-tunnel