link 1 tells you how to enable iap, add principal, ensure iap-secured web app user role, etc. and then it tells you to find the load balancer that serves the instance group you want to restict access to. link 1 does not tell you how to do this, so if you didn't set a load balancer up, you will need to go onto link 2.

link 2 hasn't been updated in 2 years, and has multiple errors. such is: telling the user to go to google domains (no longer served by google) and telling the user to use debian linux 9 (eol 2022). these two guides are not applicable information to learn how to set up IAP. and especially not for internal: link 2 is external! Also: what if you did not want to enable ssh, as you wanted to block ssh connections, but just allow port 80 for example. doing the cert-bot vm and pointing domain to the load balancer will not work if it is internal. no example on how to do this from what i can see.

Dear nc2,

1. Create VPC Firewall Rules with goals to open below port
Source: 35.235.240.0/20
Destination: Your VM with Apache Server Installed
Port: 80

2. Ensure that your VM does not have additional OS-level firewall/software firewall. If yes, please open the port. Example: sudo ufw allow 80

3. In the local pc, install gcloud CLI https://cloud.google.com/sdk/docs/install

4. Login to your user account with permission to access the VM with Apache Server installed. Supposedly the user account with minimum permission outlined here https://cloud.google.com/iap/docs/using-tcp-forwarding#grant-permission

5. If you do not see the login screen execute gcloud auth login

6. Change the current working project into the target project using gcloud config set core/project PROJECT_ID

7. Execute this command to start tunnelling into your VM

gcloud compute start-iap-tunnel INSTANCE_NAME INSTANCE_PORT \
--local-host-port=localhost:LOCAL_PORT \
--zone=ZONE

https://cloud.google.com/iap/docs/using-tcp-forwarding#tunneling_other_tcp_connections

Regards,
Izza