Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to access user VMs from a host with a VPN tunnel connection.
Hosts in the remote network with a VPN tunnel connection to a
GDC organization can access the primary interface of
organization user VMs, assuming egress and ingress traffic to the project containing the
user VM is allowed.
Before you begin
To configure ingress and egress traffic for a VPN tunnel, you must have the following:
VPN Admin: has read and write permissions on all VPN-related resources. Ask your Organization IAM Admin to grant you the VPN Admin (vpn-admin) role.
VPN Viewer: has read permissions on all VPN-related resources. Ask your Organization IAM Admin to grant you the VPN Viewer (vpn-viewer) role.
Project VirtualMachine Admin: manages VMs in the project namespace. Ask your Organization IAM Admin to grant you the Project VirtualMachine Admin (project-vm-admin) role.
MANAGEMENT_API_SERVER: the zonal API
server's kubeconfig path. If you have not yet generated a kubeconfig file
for the API server in your targeted zone, see
Sign in for details.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eHosts connected to a GDC organization via a VPN tunnel can access user VMs' primary interfaces.\u003c/p\u003e\n"],["\u003cp\u003eAccessing user VMs requires that both egress and ingress traffic are enabled for the project containing the VM.\u003c/p\u003e\n"],["\u003cp\u003eYou must have either the VPN Admin or VPN Viewer role, in addition to the Project VirtualMachine Admin role.\u003c/p\u003e\n"],["\u003cp\u003eThe primary interface details of a user VM, like the IP address, can be obtained by viewing its \u003ccode\u003eVirtualMachine\u003c/code\u003e object using a \u003ccode\u003ekubectl\u003c/code\u003e command.\u003c/p\u003e\n"],["\u003cp\u003eOnce you obtain the IP of the primary interface, it is possible to connect to the user VM via \u003ccode\u003essh\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["# Access user VMs\n\nThis page describes how to access user VMs from a host with a VPN tunnel connection.\n\nHosts in the remote network with a VPN tunnel connection to a\nGDC organization can access the primary interface of\norganization user VMs, assuming egress and ingress traffic to the project containing the\nuser VM is allowed.\n\nBefore you begin\n----------------\n\nTo configure ingress and egress traffic for a VPN tunnel, you must have the following:\n\n- An existing VPN tunnel. For more information, see [Create a VPN tunnel](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/vpn/configure-the-tunnel).\n- Have enabled egress and ingress traffic to the project containing the VM. For more information, see [Control ingress and egress traffic](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/vpn/egress-and-ingress).\n- The necessary identity and access roles:\n\n - VPN Admin: has read and write permissions on all VPN-related resources. Ask your Organization IAM Admin to grant you the VPN Admin (`vpn-admin`) role.\n - VPN Viewer: has read permissions on all VPN-related resources. Ask your Organization IAM Admin to grant you the VPN Viewer (`vpn-viewer`) role.\n - Project VirtualMachine Admin: manages VMs in the project namespace. Ask your Organization IAM Admin to grant you the Project VirtualMachine Admin (`project-vm-admin`) role.\n - For more information, see [Role definitions](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/role-definitions).\n\nAccess the user VM\n------------------\n\nFollow these steps to access the primary interface of the user VM:\n\n1. Get the interfaces of the user VM by viewing its respective `VirtualMachine` object\n in the org admin cluster:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e get -n \u003cvar translate=\"no\"\u003ePROJECT_NAME\u003c/var\u003e gvm \u003cvar translate=\"no\"\u003eVM_NAME\u003c/var\u003e -ojson | jq '.status.network.interfaces'\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e: the zonal API server's kubeconfig path. If you have not yet generated a kubeconfig file for the API server in your targeted zone, see [Sign in](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/sign-in#cli) for details.\n - \u003cvar translate=\"no\"\u003eVM_NAME\u003c/var\u003e: the name of the `VirtualMachine` object.\n\n The output looks like the following example: \n\n [\n {\n \"ipAddresses\": [\n \"172.16.19.189\"\n ],\n \"macAddress\": \"8a:fc:81:0b:41:dc\",\n \"name\": \"net1\"\n }\n ]\n ```\n\n2. Hosts in the remote network with a VPN tunnel connection to a GDC organization\n can access user VMs through the primary `net1` interface:\n\n /home/ubuntu# ssh -i ~/vm-access user@172.16.19.189\n\n Note, for SSH access details including retrieving a key for a VM, see [Connect\n to a VM](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/vms/connect-to-vm/connect-to-a-vm)."]]
