1. Allow incoming connections from the internet on port 22 on the VMs for SSH. 2. Ensure the VMs have public IP.

1. Allow ingress traffic from the IP range 35.235.240.0/20 on port 22. 2. Use the gcloud compute ssh command with the --tunnel-through-iap flag.

Provide remote access to the instances using a third-party tool.

1. Create a bastion host with public internet access. 2. Create the SSH tunnel to the instance through the bastion host.