Hello Community,

I’m running into an issue when trying to SSH into an IPv6-only VM via IAP from Cloud Shell. Below are the details of my setup and the exact error I see:

1. Environment & Networking Setup

• VM Name: instance-20250603-055433

• Zone: us-central1-c

• Subnet (IPv6-only):

  • Name: subnet-ipv6

  • Region: us-central1

  • stackType: IPV6_ONLY

  • externalIpv6Range: 2600:1900:4000:f5a7::/64

• VPC:

  • Name: vpc-ipv6

  • internalIpv6Range: fd20:8db:3abf::/48

  • IPv6 enabled (enableUlaInternalIpv6: true)

• Firewall Rule (IPv6 SSH):

  • Name: ipv6-allow-ssh

  • Direction: INGRESS

  • Allowed: tcp:22

  • Source Ranges: ::/0

  • Target Tags: ipv6-ssh

My VM’s network interface shows only a global IPv6 (no IPv4):
networkInterfaces:
subnetwork: subnet-ipv6
ipv6Address: 2600:1900:4000:f5a7:0:1:0:0
ipv6AccessType: EXTERNAL
stackType: IPV6_ONLY

The tag ipv6-ssh is applied to the VM, so the firewall should allow SSH over IPv6.

1. What I’m Trying to Do
   Because Cloud Shell itself is IPv4-only and cannot reach an IPv6-only address directly, I want to use IAP-tunneling from Cloud Shell to SSH into the VM. In other words, I’m running:
   gcloud compute ssh instance-20250603-055433 --zone us-central1-c --tunnel-through-iap

2. The Exact Error
   When I run the above command in Cloud Shell, I immediately get:
   WARNING:
   To increase the performance of the tunnel, consider installing NumPy. ...
   ERROR: [0] Error during local connection to [stdin]: Error while connecting [4047: 'Failed to lookup instance'].
   Traceback (most recent call last):
   File ".../compute/iap_tunnel.py", line 775, in RunReceiveLocalData
   websocket_conn = self._InitiateConnection(
   ^^^^^^^^^^^^^^^^^^^^^^^^^
   File ".../compute/iap_tunnel.py", line 744, in _InitiateConnection
   new_websocket.InitiateConnection()
   File ".../compute/iap_tunnel_websocket.py", line 152, in InitiateConnection
   self._WaitForOpenOrRaiseError()
   File ".../compute/iap_tunnel_websocket.py", line 444, in _WaitForOpenOrRaiseError
   raise ConnectionCreationError(error_msg)
   googlecloudsdk.api_lib.compute.iap_tunnel_websocket.ConnectionCreationError: Error while connecting [4047: 'Failed to lookup instance'].
   Connection closed by UNKNOWN port 65535

ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].

1. What I’ve Verified

• VM is running and reachable via IPv6 from a dual-stack bastion host:
  • I created a separate dual-stack “bastion” VM in the same VPC (with both IPv4 and IPv6).
  • From the bastion, ping6 google.com works, and I can successfully ssh -6 ubuntu@[2600:1900:4000:f5a7:0:1:0:0] into my IPv6-only VM.
  • So the VM itself, its firewall rule, and the SSH daemon are all working correctly over IPv6.

• IAP is enabled correctly:
  • I have the IAP API enabled in my project.
  • My user account has the Compute IAM roles needed for IAP tunneling.

• OS Login / SSH keys:
  • I disabled OS Login on the IPv6-only VM and manually added my public key to instance metadata under ssh-keys.
  • I’ve confirmed /home/ubuntu/.ssh/authorized_keys on the VM contains my public key.

• Firewall and tags:
  • The firewall rule ipv6-allow-ssh targets tag ipv6-ssh.
  • The VM’s tags.items definitely includes ipv6-ssh.

1. Why I think IAP is failing
   Because the IPv6-only VM has no internal or external IPv4 at all, IAP’s TCP-forwarding cannot lookup or connect to the instance. IAP expects to use the VM’s internal IPv4 for the tunnel endpoint. There is no IPv4 address, hence “Failed to lookup instance.”

2. My Question

• Is there any way to SSH to an IPv6-only VM using --tunnel-through-iap?

• Or is IAP strictly limited to VMs that have at least an internal IPv4?

• If it’s not supported, what is Google’s recommended approach for an IPv6-only VM when my client is IPv4-only (like Cloud Shell)?

Right now I’m relying on an intermediate dual-stack bastion as a workaround, but I’d love to know if Google Cloud has a more direct solution. Any guidance would be greatly appreciated!

Thank you in advance for your help.