If you have created private Google Kubernetes Engine clusters for security reasons, you may still need to SSH into the nodes from time-to-time. Luckily Google Cloud provides Identity-Aware-Proxy tunnelling via gcloud so you do not need a VPN connection to the VPC the cluster resides within.
However in order for this to work you will need to create a firewall rule that targets your GKE nodes using network tags applied to the cluster.

Once the firewall rule is applied you should be able to SSH into any node in the cluster using gcloud.
$ gcloud compute ssh andrew.kirkpatrick@gke-node --project=staging-123456 --zone=us-central1-d
External IP address was not found; defaulting to using IAP tunneling.
Welcome to Kubernetes v1.16.13-gke.401!