Compute Engine
Compute Engine

Accessing Virtual Machines in Google Cloud using IAP desktop

July 12, 2022


Security in cloud computing is a major concern especially when it comes to an enterprise workload. Exposing services and virtual machines to the internet is surrounded by the risk of security breaches and increased surface attacks. Since all the data is transferred using the Internet, data security is important in the cloud. Key mechanisms for protecting data in the cloud include

  • Access Control
  • Auditing
  • Authentication  
  • Authorization

In this tutorial below, we will be seeing how to Access virtual machines in your google cloud project with IAP Desktop using the concept of TCP forwarding.

What is IAP TCP Forwarding?

The TCP forwarding functionality of IAP enables you to manage who can access administrative services like SSH and RDP on your backends via the open internet. These services are shielded from the public internet via the TCP forwarding capability. Instead, to access their intended resource, requests to your services must first pass authentication and authorization checks.

Running workloads in the cloud exposes administrative services directly to the internet, which poses a danger. You can lower that risk by using IAP to forward TCP traffic and guarantee that only authorized users have access to these sensitive services.

SSH, RDP, and other types of traffic can be forwarded to VM instances using IAP TCP forwarding by creating an encrypted tunnel. You can also have precise control over which users are permitted to create tunnels and which VM instances users are permitted to connect to with IAP TCP forwarding.

How does IAP’s TCP Forwarding work?

The TCP forwarding function of IAP enables users to establish connections to any TCP port on Compute Engine instances. IAP establishes a listening port on the local host that directs all general TCP traffic to a particular instance. IAP then encrypts all client traffic before sending it. If users successfully authenticate and are authorized by the Identity and Access Management (IAM) policy for the target resource, they are granted access to the interface and port.

Sample Architecture

In a special case, establishing an SSH connection using gcloud compute ssh wraps the SSH connection inside HTTPS and forwards it to the remote instance without the need for a listening port on the local host.

Direct requests to an admin resource are not immediately barred when IAP is enabled. IAP only denies TCP requests to pertinent services on the resource that are not coming from IAP TCP forwarding IPs.

The assignment of a public, routable IP address to your resource is not necessary for TCP forwarding with IAP. It makes use of internal IPs instead.

What is an IAP Desktop?

IAP Desktop is a Windows programme that enables you to manage several Remote Desktop and SSH connections to Google Cloud-based virtual machine instances.

IAP Desktop uses Identity-Aware-Proxy TCP tunnelling to connect to VM instances, combining the convenience of a Remote Desktop connection manager with the security and flexibility of Identity-Aware-Proxy:

  • You can connect from anywhere, not only from selected networks.
  • You can connect to VM instance that does not have a public IP address or NAT access to the internet.
  • Even if your workstation is protected by a corporate firewall or proxy, you can connect because the TCP forwarding tunnel is created over HTTPS.
  • Using Cloud IAM, you can precisely manage who is permitted to connect to a virtual machine.
  • SSH and RDP do not need to be accessible over the open internet.


Before you start with this tutorial, you will need the following:

  1. Google Cloud Project
  2. Custom mode VPC network

Preparing your project for IAP TCP forwarding

Create a firewall rule

Create a firewall rule to allow IAP to connect your VM instance, following the below:

  1. This applies to all VM instances that you wish to be reachable via IAP in order to permit IAP to connect to them.
  2. Permits traffic from the IP range to enter. All IP addresses that IAP use for TCP forwarding is included in this range.
  3. Enables connections to all ports that you want open, such as port 22 for SSH and port 3389 for RDP, by using IAP TCP forwarding.
  1. Log in to the Google Cloud Console
  2. From the Navigation Menu select the VPC Networks
  3. Select Firewall Rules from the left Navigation
  4. Click, Create firewall rule on the Firewall Rules page
  5. Configure the following settings:
  6. Name: allow-ingress-from-iap
  7. Direction of traffic: Ingress
  8. Target: All instances in the network
  9. Source filter: IP ranges
  10. Source IP ranges:
  11. Protocols and ports: Select TCP and enter 22,3389 to allow both RDP and SSH.
  12. Create
Grant permissions to use IAP TCP forwarding

Configure Identity and Access Management (IAM) permissions to determine which users and groups may utilize IAP TCP forwarding and which VM instances they can connect to.

We recommend granting below mentioned IAM Role:

  1. Open the IAM & Admin page in the Google Cloud console.
  2. On the IAM & Admin page, click Add and configure the following:
  3. New principals: Specify the user or group you want to grant access.
  4. Select a role: Select Cloud IAP > IAP-Secured Tunnel User.
  5. Click Add another role and configure the following
  6. Select a role Select Compute Engine > Compute Instance Admin (v1).
  7. Click Save

Installing IAP Desktop within your Local Machine

Prerequisites for Installing IAP Desktop

To install IAP Desktop, you need:

  • Operating systems Windows 8 or later, Windows Server 2012 or higher
  • Internet access (at least to Google APIs), either directly, via an HTTP proxy, or via NAT
  • You do not need admin rights unless you are installing on Windows Server.
IAP Desktop Installation

To install IAP Desktop on your computer, follow these steps:

1.  Download the latest installer package.

2. To begin the installation, double-click the downloaded IapDesktop.msi file.

3. Click Install if you agree to the Apache 2.0 license.

4. When the installation is done, click Finish to start IAP Desktop:

Connecting to Google Cloud

You now set up IAP Desktop for first use:

1. On the Sign-in dialog, click Sign in:

2. A web browser window opens.

3. Sign in with your Google account.

4. Allow IAP Desktop to See, Edit, Configure, and Delete Your Google Cloud Data by checking the box on the IAP Desktop wants to access your Google account page:

IAP Desktop requires this scope to access your Google Cloud projects and to use IAP TCP forwarding.

1. To finish the sign-in process, click Continue.

2. Select your Google Cloud project in the Add project dialog and click Add project.

The Project Explorer now displays the project and all VM instances:

3. Optionally, click File > Add project in the menu to add additional projects.

Connecting to Linux instances

To connect to a Linux VM by using SSH, do the following:

1. Right-click a VM instance in the Project Explorer tool window and select Connect:

2. IAP Desktop now automatically publishes your SSH public key, creates an IAP TCP forwarding tunnel, and opens a terminal:

Connecting to windows Instances

To connect to a Windows VM by using Remote Desktop (RDP), do the following:

1. In the Project Explorer tool window, right-click a VM instance and select Connect:

2. If this is the first time you connect to the VM instance, you'll see a prompt:

  • Click Generate new credentials to create a Windows user account on the chosen virtual machine instance and log in with it. Special permissions are necessary to create a Windows user account. This option is hidden if you lack such rights.
  • Click Configure credentials to open the Connection Settings tool window and enter and save your Windows credentials. These saved credentials will be used by IAP Desktop during subsequent connection attempts.
  • If you don't want to save any credentials, choose Connect without setting credentials. The username and password will not be saved for later use, but you will still get a prompt for your credentials.

3. IAP Desktop now automatically builds an IAP TCP forwarding tunnel and connects you to the Windows VM's Remote Desktop:

More Blogs

Beyond Firewalls: Build Stronger Security Teams with Quadra (SOC)NXT's Expertise.
Beyond Firewalls: Build Stronger Security Teams with Quadra (SOC)NXT's Expertise.
Tue, May 25th 2021 8:04 AM

Every click, swipe, and transaction leave a trace in the virtual realm, the battleground of cybersecurity has never been more critical. As you read this, a cyber-attack occurs every 39 seconds, leaving...

Read more 
External link
Cloud Firewall Standard: Protect Your Google Cloud Network from Advanced Threats
Cloud Firewall Standard: Protect Your Google Cloud Network from Advanced Threats
Tue, May 25th 2021 8:04 AM

Google Cloud's Cloud Firewall Standard, a fully distributed firewall service provides granular control over network traffic to and from your Google Cloud resources.

Read more 
External link
Accelerate Your Business with Windows Server VM Instances on Google Cloud Compute Engine
Accelerate Your Business with Windows Server VM Instances on Google Cloud Compute Engine
Tue, May 25th 2021 8:04 AM

Creating a Windows Server VM instance in Google Cloud's Compute Engine allows you to deploy and run your Windows-based applications in a flexible and scalable environment.

Read more 
External link
Go back