I am not sure if is a strange behavior of Google Compute Engine. I have a VM without External IP. Now, where I click the ssh button I can still connect to it and I see the log:
External IP address was not found; defaulting to using IAP tunneling.
I have not configured any IAP though. So how can that be possible? Is then IAP tunnelling always on?
Identity Aware Proxy is a managed Google Cloud service. This service is always running. Access is controlled through IAM roles. The CLI is connecting to an IAP endpoint, requesting the creation of a TCP tunnel and then forwarding traffic to your instance via this tunnel.