0

When using Identity Aware Proxy to tunnel SSH traffic to a VM, the incoming traffic comes from an IP address in the range: 35.235.240.0/20.

If more than user connects to a VM at the same time, does IAP reuse an IP address, or does it guarantee that each session will have a unique IP address associated to it?

For instance, if 5 users in the machine at once who themselves, would they possibly see the same IP in this output:

foo_user   pts/0        2021-01-27 18:18 (35.235.241.18)
Thomas Ruble
  • 842
  • 6
  • 14
  • The answer is not published in any materials I know of. Given that IAP is a proxying service deployed globally, depending on IAP IP address knowledge or patterns would not be a good strategy. Edit your question with details on what you are trying to accomplish. – John Hanley Jan 27 '21 at 20:33
  • Each user will get one IP within `35.235.240.0/20` range, if you want to identify which IP you were assigned once you logged into the GCE instance you can use `w` instead `who` and your IP will be shown with a `w` at the end as follow: $ w 22:18:22 up 9 min, 5 users, load average: 0.00, 0.01, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT foo_user pts/0 35.235.240.1 22:11 0.00s 0.00s 0.00s w other users will be shows as `-bash` or their respective $SHELL. But would be more helpful to have more context on this. – Raul Bautista Jan 27 '21 at 22:34
  • @RaulBautista - Do you have a link for your comment `Each user will get one IP`? – John Hanley Jan 27 '21 at 22:46
  • Related to the link [here](https://cloud.google.com/iap/docs/using-tcp-forwarding#create-firewall-rule) is the documentation about the IP range. – Raul Bautista Jan 27 '21 at 23:03

1 Answers1

0

Got an answer elsewhere -- there is no guarantee that different users will connect via different IP addresses. It could be the case that simultaneous users tunneled in using the same IP address from the 35.235.240.0/20.

Thomas Ruble
  • 842
  • 6
  • 14