Enable Browser Based SSH in GCP
Sometimes it's handy to use the browser based SSH in GCP when you're setting up a compute instance. By default a firewall rule called "default-allow-ssh" is created for your project. It allows ssh from anywhere by specifiying an allow IP range of 0.0.0.0/0. This allows the browser based SSH to work as well as authenticated SSH request from any IP source. To make this more secure you can remove the IP range of 0.0.0.0/0 and add your own IP. The problem is that when you do that it breaks the browser based ssh tool.
To allow the browser based SSH to work you just have to add the IP range for GCP's IAP TCP forwarding.
Click the ">_" icon in the top right of your GCP console to activate Cloud Shell.
Next, run this command that adds the IP range allowing incoming traffic from Identity Aware Proxy for the browser based SSH to work. This creates a new rule called "allow-ssh-ingress-from-iap".
gcloud compute firewall-rules create allow-ssh-ingress-from-iap \
--direction=INGRESS \
--action=allow \
--rules=tcp:22 \
--source-ranges=35.235.240.0/20
