I have some compute engine instances with external IPs that have firewall rules blocking SSH. These instances also have internal IPs, that have firewall rules whitelisting SSH for the IAP netblock (although the IAP help in the console incorrectly says I need to add a rule due to not enough resource, but I digress).
A related comment seems to indicate that SSH in browser will not use IAP if there's an external IP, but I wasn't sure if there was a workaround.
I can use the Google Cloud SDK to SSH into the instances with gcloud compute ssh <instance> --tunnel-through-iap, however is there a way to force the same via the browser so I can easily log in on the go?
The related comment is correct.
The document on ‘Using Cloud IAP for TCP forwarding’ describes that you can only use the SSH button in the GCP Console if the VM is configured to only have an internal IP.
There isn’t a workaround for the scenario you described but you can always check out advanced SSH methods should they work better for you.