How to ssh into your GCE machine without a public IP


In this article, I will show you how you can ssh into your Compute Engine machine without public IP, only using the internal IP.

Before we start…

Before we start I will add a few important concepts of how we can achieve that.

Today more and more companies are using extra layers of VPNs, MFA, security process, firewalls, routers, etc… in order to authenticate who needs access to a server or to an application.

Google created the BeyondCorp implementation within GCP that contains several security products, and the one we will use here is Identity-Aware Proxy (IAP).


BeyondCorp is Google’s implementation of the zero-trust security model that builds upon eight years of building zero trust networks at Google, combined with ideas and best practices from the community. By shifting access controls from the network perimeter to individual users and devices, BeyondCorp allows employees, contractors, and other users to work more securely from virtually any location without the need for a traditional VPN.

BeyondCorp began as an internal Google initiative to enable every employee to work from untrusted networks without the use of a VPN. BeyondCorp is used by most Googlers every day, to provide user- and device-based authentication and authorization for Google’s core infrastructure.

Identity Aware Proxy

IAP lets you establish a central authorization layer for applications accessed by HTTPS, so you can use an application-level access control model instead of relying on network-level firewalls.

IAP policies scale across your organization. You can define access policies centrally and apply them to all of your applications and resources. When you assign a dedicated team to create and enforce policies, you protect your project from incorrect policy definition or implementation in any application.

Max Saltonstall created a really good post explaining more details about IAP and BeyondCorp that you can check it out here.


Before start

You will need a GCP project, so if you haven’t created yet you can follow these steps:

  1. Go to the Manage resources page in the Cloud Console.
  2. On the Select organization drop-down list at the top of the page, select the organization in which you want to create a project. If you are a free trial user, skip this step, as this list does not appear.
  3. Click Create Project.
  4. In the New Project window that appears, enter a project name and select a billing account as applicable. A project name can contain only letters, numbers, single quotes, hyphens, spaces, or exclamation points, and must be between 4 and 30 characters.
  5. Enter the parent organization or folder in the Location box. That resource will be the hierarchical parent of the new project.
  6. When you’re finished entering new project details, click Create.

Create your GCE instance

  1. In the Google Cloud Console, go to the VM instances page.
  2. Go to the VM instances page
  3. Select your project and click Continue.
  4. Click Create instance.
  5. Specify a Name for your instance.
  6. Select a Machine configuration for your instance. I recommend you to use f1-micro instance so you use your free tier
  7. In the Boot disk section, we will use the default Debian.
  8. In the Networking section, make sure you change the External IP to NONE and click in done.
  9. Don’t click on Allow HTTP traffic or Allow HTTPS traffic
  10. Left all other parameters as default.
  11. Click the Create button to create and start the instance.


You can try to ssh using the button below, but you will face Not Authorized even if you are the owner of the project

ssh button

This happens because the Owner role doesn’t have the iap.tunnelInstances.accessViaIAP permission, so let’s add this permission to our user.

Enable IAP

First, make sure you have the IAP API enable

  1. Go to the Cloud Console API Library.
  2. From the projects list, select the project you want to use.
  3. In the API Library, select the Cloud Identity-Aware Proxy API
  4. On the API page, click ENABLE if is still not.

Add IAP role to your user

  1. Go to IAM
  2. Grant the role IAP-Secured Tunnel User

→ You can check all IAP roles on this page as well.

SSHing again and check the magic!

You can try clicking the button ssh and use the terminal in the browser …

…or you can use gcloud from your terminal with the command

gcloud compute ssh — zone “<region>” “ssh-iap” — tunnel-through-iap — project “<project_ID>”

You can also see this command in the UI if you prefer just copy and paste

Clean UP

  1. Delete the instance
  2. Delete the project if you don’t intend to use it anymore.


IAP gives us the ability to keep our instance close to the internet and still ssh into it in a safe manner.

With the gcloud command, we don’t even need to create our own public/private key as the tool do all the work creating a new

You can check in your machine on ~/.ssh folder usually called google_compute_engine and also on GCE -> metadata -> ssh keys.

Let me know if you have any questions!




A collection of technical articles and blogs published or curated by Google Cloud Developer Advocates. The views expressed are those of the authors and don't necessarily reflect those of Google.

Recommended from Medium

Background Synchronization

How to use filter(), map(), and reduce(), lambda expression in Python

How We Align Product Ideas with Software

How To Download Dev C++ In Laptop

How to install Rosetta2 on Apple M1

NFT FlokiCyberPunk collection

How to make pizza without an oven as a developer

Java Variables

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Felipe Martinez

Felipe Martinez

Brazilian Software Engineer living in London. Java addicted. Clean Code and Software craftsmanship Enthusiast. Cloud.

More from Medium

How did we set up the staging environment in MediBuddy ?

Introduction to Policy as Code

Cloud Security Posture Management with CloudGraph Api

How to reduce AWS EBS cost by 20%