gcloud compute start-iap-tunnel

gcloud compute start-iap-tunnel - starts an IAP TCP forwarding tunnel
gcloud compute start-iap-tunnel INSTANCE_NAME INSTANCE_PORT [--local-host-port=LOCAL_HOST_PORT; default="localhost:0"] [--zone=ZONE] [GCLOUD_WIDE_FLAG]
Starts a tunnel to Cloud Identity-Aware Proxy for TCP forwarding through which another process can create a connection (eg. SSH, RDP) to a Google Compute Engine instance.

To learn more, see the [IAP for TCP forwarding documentation]( https://cloud.google.com/iap/docs/tcp-forwarding-overview).

Name of the instance to operate on. For details on valid instance names, refer to the criteria documented under the field 'name' at: https://cloud.google.com/compute/docs/reference/rest/v1/instances
The name or number of the instance's port to connect to.
--local-host-port=LOCAL_HOST_PORT; default="localhost:0"
LOCAL_HOST:LOCAL_PORT on which gcloud should bind and listen for connections that should be tunneled.

LOCAL_PORT may be omitted, in which case it is treated as 0 and an arbitrary unused local port is chosen. The colon also may be omitted in that case.

If LOCAL_PORT is 0, an arbitrary unused local port is chosen.

Zone of the instance to operate on. If not specified, you may be prompted to select a zone (interactive mode only). gcloud attempts to identify the appropriate zone by searching for resources in your currently active project. If the zone cannot be determined, gcloud prompts you for a selection with all available Google Cloud Platform zones.

To avoid prompting when this flag is omitted, the user can set the compute/zone property:

gcloud config set compute/zone ZONE

A list of zones can be fetched by running:

gcloud compute zones list

To unset the property, run:

gcloud config unset compute/zone

Alternatively, the zone can be stored in the environment variable CLOUDSDK_COMPUTE_ZONE.

These flags are available to all commands: --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

To open a tunnel to the instances's RDP port on an arbitrary local port, run:
gcloud compute start-iap-tunnel my-instance 3389

To open a tunnel to the instance's RDP port on a specific local port, run:

gcloud compute start-iap-tunnel my-instance 3389  --local-host-port=localhost:3333
These variants are also available:
gcloud alpha compute start-iap-tunnel
gcloud beta compute start-iap-tunnel