Stay organized with collections
Save and categorize content based on your preferences.
This page describes how Identity-Aware Proxy (IAP) handles TCP
forwarding. To learn how to grant principals access to tunneled resources and how
to create tunnels that route TCP traffic, see
Using IAP for TCP forwarding.
Introduction
IAP's TCP forwarding feature lets you control who
can access administrative services like SSH and RDP on your backends from the
public internet. The TCP forwarding feature prevents these services from being
openly exposed to the internet. Instead, requests to your services must pass
authentication and authorization checks before they get to their target
resource.
Exposing administrative services directly to the internet when running workloads
in the cloud introduces risk. Forwarding TCP traffic with IAP
allows you to reduce that risk, ensuring only authorized users gain access to
these sensitive services.
Since this feature is specifically aimed at administrative services,
load-balanced targets aren't supported.
Calling the IAP TCP forwarding service isn't supported on
mobile devices.
How IAP's TCP forwarding works
IAP's TCP forwarding feature allows users to connect to
arbitrary TCP ports on Compute Engine instances. For general TCP traffic,
IAP creates a listening port on the local host that forwards
all traffic to a specified instance. IAP then wraps all
traffic from the client in HTTPS. Users gain access to the interface and port if
they pass the authentication and authorization check of the target resource's
Identity and Access Management (IAM) policy.
A special case, establishing an SSH connection using gcloud compute ssh
wraps the SSH connection inside HTTPS and forwards it to the remote instance
without the need of a listening port on local host.
Enabling IAP on an admin resource doesn't automatically block
direct requests to the resource. IAP only blocks TCP requests
that aren't from IAP TCP forwarding IPs to relevant services
on the resource.
TCP forwarding with IAP doesn't require a
public, routable IP address assigned to your resource. Instead, it uses internal
IPs.
What's next
Learn how to connect to TCP ports on instances
and grant principals access to tunneled resources.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[[["\u003cp\u003eIAP's TCP forwarding feature controls access to administrative services like SSH and RDP on backends, preventing them from being openly exposed to the internet.\u003c/p\u003e\n"],["\u003cp\u003eOnly authorized users who pass authentication and authorization checks gain access to sensitive services via IAP's TCP forwarding, reducing the risk of exposing administrative services directly to the internet.\u003c/p\u003e\n"],["\u003cp\u003eIAP's TCP forwarding establishes a local listening port that forwards traffic to a specified instance, wrapping all client traffic in HTTPS for general TCP connections.\u003c/p\u003e\n"],["\u003cp\u003eIAP's TCP forwarding doesn't require the resource to have a public, routable IP address, instead using internal IPs for forwarding.\u003c/p\u003e\n"],["\u003cp\u003eEnabling IAP on an administrative resource does not block all requests, it will only block TCP requests that do not come from an IAP TCP forwarding IP.\u003c/p\u003e\n"]]],[],null,["# Overview of TCP forwarding\n\nThis page describes how Identity-Aware Proxy (IAP) handles TCP\nforwarding. To learn how to grant principals access to tunneled resources and how\nto create tunnels that route TCP traffic, see\n[Using IAP for TCP forwarding](/iap/docs/using-tcp-forwarding).\n\nIntroduction\n------------\n\nIAP's TCP forwarding feature lets you control who\ncan access administrative services like SSH and RDP on your backends from the\npublic internet. The TCP forwarding feature prevents these services from being\nopenly exposed to the internet. Instead, requests to your services must pass\nauthentication and authorization checks before they get to their target\nresource.\n\nExposing administrative services directly to the internet when running workloads\nin the cloud introduces risk. Forwarding TCP traffic with IAP\nallows you to reduce that risk, ensuring only authorized users gain access to\nthese sensitive services.\n\nSince this feature is specifically aimed at administrative services,\nload-balanced targets aren't supported.\n| **Note:** Administrative services, as defined here, are services that are typically used to administer a machine, such as RDP, SSH, and MySQL's admin interface.\n\nCalling the IAP TCP forwarding service isn't supported on\nmobile devices.\n\nHow IAP's TCP forwarding works\n------------------------------\n\nIAP's TCP forwarding feature allows users to connect to\narbitrary TCP ports on Compute Engine instances. For general TCP traffic,\nIAP creates a listening port on the local host that forwards\nall traffic to a specified instance. IAP then wraps all\ntraffic from the client in HTTPS. Users gain access to the interface and port if\nthey pass the authentication and authorization check of the target resource's\nIdentity and Access Management (IAM) policy.\n\nA special case, establishing an SSH connection using [`gcloud compute ssh`](/sdk/gcloud/reference/compute/ssh)\nwraps the SSH connection inside HTTPS and forwards it to the remote instance\nwithout the need of a listening port on local host.\n\nEnabling IAP on an admin resource doesn't automatically block\ndirect requests to the resource. IAP only blocks TCP requests\nthat aren't from IAP TCP forwarding IPs to relevant services\non the resource.\n\nTCP forwarding with IAP doesn't require a\npublic, routable IP address assigned to your resource. Instead, it uses internal\nIPs.\n\nWhat's next\n-----------\n\n- Learn how to connect to [TCP ports on instances](/iap/docs/using-tcp-forwarding) and grant principals access to tunneled resources."]]
