HEX
Server: Apache/2.4.65 (Ubuntu)
System: Linux ielts-store-v2 6.8.0-1036-gcp #38~22.04.1-Ubuntu SMP Thu Aug 14 01:19:18 UTC 2025 x86_64
User: root (0)
PHP: 7.2.34-54+ubuntu20.04.1+deb.sury.org+1
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
$ pwd: /snap/google-cloud-cli/394/help/man/man1/
Upload Files
File: //snap/google-cloud-cli/394/help/man/man1/gcloud_alpha_compute_start-iap-tunnel.1
.TH "GCLOUD_ALPHA_COMPUTE_START\-IAP\-TUNNEL" 1



.SH "NAME"
.HP
gcloud alpha compute start\-iap\-tunnel \- starts an IAP TCP forwarding tunnel



.SH "SYNOPSIS"
.HP
\f5gcloud alpha compute start\-iap\-tunnel\fR \fIINSTANCE_NAME\fR \fIINSTANCE_PORT\fR [\fB\-\-iap\-tunnel\-disable\-connection\-check\fR] [\fB\-\-local\-host\-port\fR=\fILOCAL_HOST_PORT\fR;\ default="localhost:0"] [\fB\-\-zone\fR=\fIZONE\fR] [\fB\-\-region\fR=\fIREGION\fR\ :\ [\fB\-\-network\fR=\fINETWORK\fR\ :\ \fB\-\-dest\-group\fR=\fIDEST_GROUP\fR]] [\fIGCLOUD_WIDE_FLAG\ ...\fR]



.SH "DESCRIPTION"

\fB(ALPHA)\fR Starts a tunnel to Cloud Identity\-Aware Proxy for TCP forwarding
through which another process can create a connection (eg. SSH, RDP) to a Google
Compute Engine instance.

To learn more, see the IAP for TCP forwarding documentation
(https://cloud.google.com/iap/docs/tcp\-forwarding\-overview).

If the \f5\-\-region\fR and \f5\-\-network\fR flags are provided, then an IP
address or FQDN must be supplied instead of an instance name. This is most
useful for connecting to on\-prem resources.



.SH "EXAMPLES"

To open a tunnel to the instances's RDP port on an arbitrary local port, run:

.RS 2m
$ gcloud alpha compute start\-iap\-tunnel my\-instance 3389
.RE

To open a tunnel to the instance's RDP port on a specific local port, run:

.RS 2m
$ gcloud alpha compute start\-iap\-tunnel my\-instance 3389 \e
    \-\-local\-host\-port=localhost:3333
.RE

To use the IP address or FQDN of your remote VM (eg, for on\-prem), you must
also specify the \f5\-\-region\fR and \f5\-\-network\fR flags:

.RS 2m
$ gcloud alpha compute start\-iap\-tunnel 10.1.2.3 3389 \e
    \-\-region=us\-central1 \-\-network=default
.RE



.SH "POSITIONAL ARGUMENTS"

.RS 2m
.TP 2m
\fIINSTANCE_NAME\fR

Name of the instance to operate on. For details on valid instance names, refer
to the criteria documented under the field 'name' at:
https://cloud.google.com/compute/docs/reference/rest/v1/instances

.TP 2m
\fIINSTANCE_PORT\fR

The name or number of the instance's port to connect to.


.RE
.sp

.SH "FLAGS"

.RS 2m
.TP 2m
\fB\-\-iap\-tunnel\-disable\-connection\-check\fR

Disables the immediate check of the connection.

.TP 2m
\fB\-\-local\-host\-port\fR=\fILOCAL_HOST_PORT\fR; default="localhost:0"

\f5LOCAL_HOST:LOCAL_PORT\fR on which gcloud should bind and listen for
connections that should be tunneled.

\f5LOCAL_PORT\fR may be omitted, in which case it is treated as 0 and an
arbitrary unused local port is chosen. The colon also may be omitted in that
case.

If \f5LOCAL_PORT\fR is 0, an arbitrary unused local port is chosen.

.TP 2m
\fB\-\-zone\fR=\fIZONE\fR

Zone of the instance to operate on. If not specified, you might be prompted to
select a zone (interactive mode only). \f5gcloud\fR attempts to identify the
appropriate zone by searching for resources in your currently active project. If
the zone cannot be determined, \f5gcloud\fR prompts you for a selection with all
available Google Cloud Platform zones.

To avoid prompting when this flag is omitted, the user can set the
\f5\fIcompute/zone\fR\fR property:

.RS 2m
$ gcloud config set compute/zone ZONE
.RE

A list of zones can be fetched by running:

.RS 2m
$ gcloud compute zones list
.RE

To unset the property, run:

.RS 2m
$ gcloud config unset compute/zone
.RE

Alternatively, the zone can be stored in the environment variable
\f5\fICLOUDSDK_COMPUTE_ZONE\fR\fR.

.TP 2m
\fB\-\-region\fR=\fIREGION\fR

Configures the region to use when connecting via IP address or FQDN.

.TP 2m

At most one of these can be specified:


.RS 2m
.TP 2m
\fB\-\-network\fR=\fINETWORK\fR

Configures the VPC network to use when connecting via IP address or FQDN.

This flag argument must be specified if any of the other arguments in this group
are specified.

.TP 2m
\fB\-\-dest\-group\fR=\fIDEST_GROUP\fR

Configures the destination group to use when connecting via IP address or FQDN.


.RE
.RE
.sp

.SH "GCLOUD WIDE FLAGS"

These flags are available to all commands: \-\-access\-token\-file, \-\-account,
\-\-billing\-project, \-\-configuration, \-\-flags\-file, \-\-flatten,
\-\-format, \-\-help, \-\-impersonate\-service\-account, \-\-log\-http,
\-\-project, \-\-quiet, \-\-trace\-token, \-\-user\-output\-enabled,
\-\-verbosity.

Run \fB$ gcloud help\fR for details.



.SH "NOTES"

This command is currently in alpha and might change without notice. If this
command fails with API permission errors despite specifying the correct project,
you might be trying to access an API with an invitation\-only early access
allowlist. These variants are also available:

.RS 2m
$ gcloud compute start\-iap\-tunnel
.RE

.RS 2m
$ gcloud beta compute start\-iap\-tunnel
.RE
@ Telegram