3

I am not sure if is a strange behavior of Google Compute Engine. I have a VM without External IP. Now, where I click the ssh button I can still connect to it and I see the log:

External IP address was not found; defaulting to using IAP tunneling.

I have not configured any IAP though. So how can that be possible? Is then IAP tunnelling always on?

John Hanley
  • 44,336
  • 6
  • 35
  • 81
toto'
  • 892
  • 1
  • 9
  • 22

2 Answers2

2

Identity Aware Proxy is a managed Google Cloud service. This service is always running. Access is controlled through IAM roles. The CLI is connecting to an IAP endpoint, requesting the creation of a TCP tunnel and then forwarding traffic to your instance via this tunnel.

John Hanley
  • 44,336
  • 6
  • 35
  • 81
  • Reading here ... https://cloud.google.com/iap/docs/using-tcp-forwarding ... it seems to pose (for me) two follow on questions: 1. Do I have to open up ingress for IAP's netblock 35.235.240.0/20 2. Does the SSH session starter have to have the "IAP-Secured Tunnel User" role? – Kolban Apr 10 '20 at 19:01
1

If you don't set an external IP address to your VM Instance as you can see on this documentation, you will have to set any of this 3 methods to connect to your Instance: 1.- Creating a VPN, 2.- Using a Bastion Host, 3.- Using Identity and Aware Proxy

The must common is to use IAP or VPN, Bastion host method is more complicated and expensive.

Jujosiga
  • 374
  • 1
  • 7
  • Ok but I understand that while the other methods require a set up, the IAP is "always" on, it is just a matter to add users to the proper IAM role, right? thanks. – toto' Jan 22 '20 at 18:54
  • 1
    As the accepted answer said, IAP is some default feature of GCP security. It adapts the forwarding traffic as an HTTPS stream, combined with OAuth to certificate the users / applications you want to get access to your project / VM Instances. – Jujosiga Jan 22 '20 at 19:32