start-iap-tunnel to an interface other than the default nic0

[Greg Hodgins]

Please forgive me if I have duplicated a post, but I can't find the post I thought I'd made.

gcloud beta has an option to start-iap-tunnel specifying a  --network-interface, in order to allow the connection to be made to an interface on the VM other than the default nic0.  I cannot get it to work.  Starting the tunnel just results in:

Testing if tunnel connection works.

ERROR: (gcloud.beta.compute.start-iap-tunnel) Unexpected error while connecting. Check logs for more details.

An example command is below.

gcloud beta --project $project-name compute start-iap-tunnel $instance_name 3389  --local-host-port=localhost:3390 --network-interface="nic1"

I've had similar issues and found them related to FW rules, but I am pretty certain I've covered all that.

Has anyone successfully started a tunnel to anything other than the default nic0?

Thanks.

[James (Google Cloud Platform Support)]

Hello Greg,

Thanks for reporting this issue. 

I am able to reproduce the exact same issue in my tests here and we are currently working on this problem right now. It will take some time to look into but I will follow up on this thread once I have more news next week.

[James (Google Cloud Platform Support)]

Hello Greg,

I just wanted to let you know that we have filed an issue for this on our Public Issue forum[1] and you can follow the progress of the investigation from the link below.

[1] https://issuetracker.google.com/130529845 

[Greg Hodgins]

Thanks James.  It's been a couple months and no activity reported.  I just tried again and don't see any change.  In fact, it looks like the option has been removed from documentation. 

[Kamelia Y]

Hello Greg, 

Regarding the error message “ERROR: (gcloud.beta.compute.start-iap-tunnel) Unexpected error while connecting. Check logs for more details.” I have reached out to the networking team, you need to remove --network-interface flag from start-iap-tunnel.

Any value passed to this flag except the default (nic0) has always been completely broken (connection failed). This product still in beta feature and it might be changed in backward-incompatible ways. This option is not on the documentation (command) anymore.

[Greg Hodgins]

Hi Kamelia, 

I understand the option doesn't work.  I am not having trouble using IAP tunnels to nic0.  

The question is, when is the feature coming?  IAP to other interfaces is a desirable feature.  Currently we have to employ a jump box to work around this deficiency.  

It was clearly considered at one point as the documentation did detail the option.  Now it is removed.  I understand that is within Google's right to do just that, BUT the feature is desired.  There was some expectation it would be coming, per above that included James creating an issue tracker.  So what I am really hoping for is an update that progress is actually being made on enabling this feature OR I guess a clear statement from Google that they don't see it as a valid feature - which I would consider unfortunate.

[James (Google Cloud Platform Support)]

Hello Greg,

For the moment, we decided to remove this feature from the documentation all together due to the state it is in and it being unusable right now. This product has not been launched to General Adoption just yet, so there are still changes occurring to it. We do understand this is functionality you are looking for and we have put in the feature request in for you. I have included the public link[1] that you can subscribe to where updates can be communicated through below.

[1] https://issuetracker.google.com/136274063