HEX
Server: Apache/2.4.65 (Ubuntu)
System: Linux ielts-store-v2 6.8.0-1036-gcp #38~22.04.1-Ubuntu SMP Thu Aug 14 01:19:18 UTC 2025 x86_64
User: root (0)
PHP: 7.2.34-54+ubuntu20.04.1+deb.sury.org+1
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
$ pwd: /snap/google-cloud-cli/396/help/man/man1/
Upload Files
File: //snap/google-cloud-cli/396/help/man/man1/gcloud_beta_compute_start-iap-tunnel.1
.TH "GCLOUD_BETA_COMPUTE_START\-IAP\-TUNNEL" 1



.SH "NAME"
.HP
gcloud beta compute start\-iap\-tunnel \- starts an IAP TCP forwarding tunnel



.SH "SYNOPSIS"
.HP
\f5gcloud beta compute start\-iap\-tunnel\fR \fIINSTANCE_NAME\fR \fIINSTANCE_PORT\fR [\fB\-\-iap\-tunnel\-disable\-connection\-check\fR] [\fB\-\-local\-host\-port\fR=\fILOCAL_HOST_PORT\fR;\ default="localhost:0"] [\fB\-\-zone\fR=\fIZONE\fR] [\fB\-\-network\fR=\fINETWORK\fR\ \fB\-\-region\fR=\fIREGION\fR\ :\ \fB\-\-dest\-group\fR=\fIDEST_GROUP\fR] [\fIGCLOUD_WIDE_FLAG\ ...\fR]



.SH "DESCRIPTION"

\fB(BETA)\fR Starts a tunnel to Cloud Identity\-Aware Proxy for TCP forwarding
through which another process can create a connection (eg. SSH, RDP) to a Google
Compute Engine instance.

To learn more, see the IAP for TCP forwarding documentation
(https://cloud.google.com/iap/docs/tcp\-forwarding\-overview).

If the \f5\-\-region\fR and \f5\-\-network\fR flags are provided, then an IP
address or FQDN must be supplied instead of an instance name. This is most
useful for connecting to on\-prem resources.



.SH "EXAMPLES"

To open a tunnel to the instances's RDP port on an arbitrary local port, run:

.RS 2m
$ gcloud beta compute start\-iap\-tunnel my\-instance 3389
.RE

To open a tunnel to the instance's RDP port on a specific local port, run:

.RS 2m
$ gcloud beta compute start\-iap\-tunnel my\-instance 3389 \e
    \-\-local\-host\-port=localhost:3333
.RE

To use the IP address or FQDN of your remote VM (eg, for on\-prem), you must
also specify the \f5\-\-region\fR and \f5\-\-network\fR flags:

.RS 2m
$ gcloud beta compute start\-iap\-tunnel 10.1.2.3 3389 \e
    \-\-region=us\-central1 \-\-network=default
.RE



.SH "POSITIONAL ARGUMENTS"

.RS 2m
.TP 2m
\fIINSTANCE_NAME\fR

Name of the instance to operate on. For details on valid instance names, refer
to the criteria documented under the field 'name' at:
https://cloud.google.com/compute/docs/reference/rest/v1/instances

.TP 2m
\fIINSTANCE_PORT\fR

The name or number of the instance's port to connect to.


.RE
.sp

.SH "FLAGS"

.RS 2m
.TP 2m
\fB\-\-iap\-tunnel\-disable\-connection\-check\fR

Disables the immediate check of the connection.

.TP 2m
\fB\-\-local\-host\-port\fR=\fILOCAL_HOST_PORT\fR; default="localhost:0"

\f5LOCAL_HOST:LOCAL_PORT\fR on which gcloud should bind and listen for
connections that should be tunneled.

\f5LOCAL_PORT\fR may be omitted, in which case it is treated as 0 and an
arbitrary unused local port is chosen. The colon also may be omitted in that
case.

If \f5LOCAL_PORT\fR is 0, an arbitrary unused local port is chosen.

.TP 2m
\fB\-\-zone\fR=\fIZONE\fR

Zone of the instance to operate on. If not specified, you might be prompted to
select a zone (interactive mode only). \f5gcloud\fR attempts to identify the
appropriate zone by searching for resources in your currently active project. If
the zone cannot be determined, \f5gcloud\fR prompts you for a selection with all
available Google Cloud Platform zones.

To avoid prompting when this flag is omitted, the user can set the
\f5\fIcompute/zone\fR\fR property:

.RS 2m
$ gcloud config set compute/zone ZONE
.RE

A list of zones can be fetched by running:

.RS 2m
$ gcloud compute zones list
.RE

To unset the property, run:

.RS 2m
$ gcloud config unset compute/zone
.RE

Alternatively, the zone can be stored in the environment variable
\f5\fICLOUDSDK_COMPUTE_ZONE\fR\fR.

.TP 2m
\fB\-\-network\fR=\fINETWORK\fR

Configures the VPC network to use when connecting via IP address or FQDN.

.TP 2m
\fB\-\-region\fR=\fIREGION\fR

Configures the region to use when connecting via IP address or FQDN.

.TP 2m
\fB\-\-dest\-group\fR=\fIDEST_GROUP\fR

Configures the destination group to use when connecting via IP address or FQDN.


.RE
.sp

.SH "GCLOUD WIDE FLAGS"

These flags are available to all commands: \-\-access\-token\-file, \-\-account,
\-\-billing\-project, \-\-configuration, \-\-flags\-file, \-\-flatten,
\-\-format, \-\-help, \-\-impersonate\-service\-account, \-\-log\-http,
\-\-project, \-\-quiet, \-\-trace\-token, \-\-user\-output\-enabled,
\-\-verbosity.

Run \fB$ gcloud help\fR for details.



.SH "NOTES"

This command is currently in beta and might change without notice. These
variants are also available:

.RS 2m
$ gcloud compute start\-iap\-tunnel
.RE

.RS 2m
$ gcloud alpha compute start\-iap\-tunnel
.RE
@ Telegram