An instance contains a bootloader, a boot file system, and an OS image. This document explains how to create an instance from a public OS image. If you are creating an Arm instance, then choose an OS image that is Arm-compatible.
Some images support Shielded VM features, which offer security features such as UEFI-compliant firmware, Secure Boot, and vTPM-protected Measured Boot. On Shielded VMs, vTPM and integrity monitoring are enabled by default.
Before you begin
- When creating instances from images by using the Google Cloud CLI or the Compute Engine API, there's a limit of 20 instances per second. If you need to create a higher number of instances per second, request a higher quota limit for the Images resource.
-
If you haven't already, then set up authentication.
Authentication is
the process by which your identity is verified for access to Google Cloud services and APIs.
To run code or samples from a local development environment, you can authenticate to
Compute Engine by selecting one of the following options:
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
-
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
- Set a default region and zone.
REST
To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
For more information, see Authenticate for using REST in the Google Cloud authentication documentation.
-
If you are bringing an existing license for your image, see Bringing your own licenses.
Required roles
To get the permission that you need to create an instance from a public image,
ask your administrator to grant you the
Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1
) IAM role on the project.
For more information about granting roles, see Manage access to projects, folders, and organizations.
This predefined role contains the
compute.instances.create
permission,
which is required to
create an instance from a public image.
You might also be able to get this permission with custom roles or other predefined roles.
View a list of public images available on Compute Engine
Before you create an instance by using a public image, review the list of public images that are available on Compute Engine.
For more information about the features available with each public image, see Feature support by operating system.
Console
In the Google Cloud console, go to the Images page.
gcloud
Run the following command:
gcloud compute images list
Make a note of the name of the image or image family and the name of the project containing the image.
Optional: To determine whether the image supports Shielded VM features, run the following command:
gcloud compute images describe IMAGE_NAME \ --project=IMAGE_PROJECT
Replace the following:
IMAGE_NAME
: name of the image to check for support of Shielded VM featuresIMAGE_PROJECT
: project containing the image
If the image supports Shielded VM features, the following line appears in the output:
type: UEFI_COMPATIBLE
.
C#
Before trying this sample, follow the C# setup instructions in the Compute Engine quickstart using client libraries. For more information, see the Compute Engine C# API reference documentation.
To authenticate to Compute Engine, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Go
Before trying this sample, follow the Go setup instructions in the Compute Engine quickstart using client libraries. For more information, see the Compute Engine Go API reference documentation.
To authenticate to Compute Engine, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Java
Before trying this sample, follow the Java setup instructions in the Compute Engine quickstart using client libraries. For more information, see the Compute Engine Java API reference documentation.
To authenticate to Compute Engine, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Node.js
Before trying this sample, follow the Node.js setup instructions in the Compute Engine quickstart using client libraries. For more information, see the Compute Engine Node.js API reference documentation.
To authenticate to Compute Engine, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
PHP
Before trying this sample, follow the PHP setup instructions in the Compute Engine quickstart using client libraries. For more information, see the Compute Engine PHP API reference documentation.
To authenticate to Compute Engine, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
Before trying this sample, follow the Python setup instructions in the Compute Engine quickstart using client libraries. For more information, see the Compute Engine Python API reference documentation.
To authenticate to Compute Engine, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Ruby
Before trying this sample, follow the Ruby setup instructions in the Compute Engine quickstart using client libraries. For more information, see the Compute Engine Ruby API reference documentation.
To authenticate to Compute Engine, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
REST
Run the following command:
GET https://compute.googleapis.com/compute/v1/projects/IMAGE_PROJECT/global/images/
Make a note of the name of the image or image family and the name of the project containing the image.
Optional: To determine whether the image supports Shielded VM features, run the following command:
GET https://compute.googleapis.com/compute/v1/projects/IMAGE_PROJECT/global/images/IMAGE_NAME
Replace the following:
IMAGE_PROJECT
: project containing the imageIMAGE_NAME
: name of the image to check for support of Shielded VM features
If the image supports Shielded VM features, the following line appears in the output:
type: UEFI_COMPATIBLE
.
Create a VM instance from a public image
Google, open source communities, and third-party vendors provide and maintain public OS images. By default, all Google Cloud projects can create VMs from public OS images. However, if your Google Cloud project has a defined list of trusted images, you can use only the images on that list to create a VM.
If you create a Shielded VM image with a local SSD, you can't shield data with integrity monitoring or the virtual platform trusted module (vTPM).
Console
In the Google Cloud console, go to the Create an instance page.
If prompted, select your project and click Continue. The Create an instance page appears and displays the Machine configuration pane.
In the Machine configuration pane, do the following:
- In the Name field, specify a name for your VM. For more information, see Resource naming convention.
Optional: In the Zone field, select a zone for this VM.
The default selection is Any. If you don't change this default selection, then Google automatically chooses a zone for you based on machine type and availability.
Select the machine family for your VM. The Google Cloud console then displays the machine series that are available for your selected machine family. The following machine family options are available:
- General purpose
- Compute optimized
- Memory optimized
- Storage optimized
- GPUs
In the Series column, select the machine series for your VM.
If you selected GPUs as the machine family in the previous step, then select the GPU type that you want. The machine series is then automatically selected for the selected GPU type.
In the Machine type section, select the machine type for your VM.
In the navigation menu, click OS and storage. In the Operating system and storage pane that appears, configure your boot disk by doing the following:
- Click Change. The Boot disk pane appears and displays the Public images tab.
- In the Operating system list, select the OS type.
- In the Version list, select the OS version.
- In the Boot disk type list, select the type of the boot disk.
- In the Size (GB) field, specify the size of the boot disk.
- Optional: For advanced configuration options, expand the Show advanced configurations section.
- To confirm your boot disk options and return to the Operating system and storage pane, click Select.
In the navigation menu, click Networking. In the Networking pane that appears, do the following:
- Go to the Firewall section.
To permit HTTP or HTTPS traffic to the VM, select Allow HTTP traffic or Allow HTTPS traffic.
The Compute Engine adds a network tag to your VM and creates the corresponding ingress firewall rule that allows all incoming traffic on
tcp:80
(HTTP) ortcp:443
(HTTPS). The network tag associates the firewall rule with the VM. For more information, see Firewall rules overview in the Cloud Next Generation Firewall documentation.
Optional: If you chose an OS image that supports Shielded VM features, you can modify the Shielded VM settings.
To do so, in the navigation menu, Click Security. In the Security pane that appears, you can configure the following:
To turn on Secure Boot, select the Turn on Secure Boot checkbox. Secure Boot is disabled by default.
To turn off vTPM, clear the Turn on vTPM checkbox. vTPM is enabled by default. Disabling vTPM also disables integrity monitoring because integrity monitoring relies on data gathered by Measured Boot.
To turn off integrity monitoring, clear the Turn on Integrity Monitoring checkbox. Integrity monitoring is enabled by default.
Optional: Specify other configuration options. For more information, see Configuration options during instance creation.
To create and start the VM, click Create.
gcloud
- Select a public image. Make a note of the name of the image or image family and the name of the project containing the image.
Use the
gcloud compute instances create
command to create a VM from an image family or from a specific version of an OS image.If you specify the optional
--shielded-secure-boot
flag, Compute Engine creates a VM with all three of the Shielded VM features enabled:After Compute Engine starts your VM, you must stop the VM to modify Shielded VM options.
gcloud compute instances create VM_NAME \ --zone=ZONE \ [--image=IMAGE | --image-family=IMAGE_FAMILY] \ --image-project=IMAGE_PROJECT IMAGE_FLAG \ --machine-type=MACHINE_TYPE
Replace the following:
VM_NAME
: name of the new VMZONE
: zone to create the instance inIMAGE_PROJECT
: the project that contains the imageIMAGE_FLAG
: specify one of the following:Use the
--image IMAGE_NAME
flag to specify a specific version of a public image.For example,
--image debian-12-bookworm-v20241112
.Use the
--image-family IMAGE_FAMILY_NAME
flag to specify an image family.This creates the VM from the most recent, non-deprecated OS image in the image family. For example, if you specify
--image-family debian-12
, Compute Engine uses the latest version of the OS image in the Debian 12 image family.
MACHINE_TYPE
: machine type for the new VM, which can be a predefined machine type or a custom machine type.To get a list of the machine types available in a zone, use the
gcloud compute machine-types list
command with the--zones
flag.
Verify that Compute Engine created the VM:
gcloud compute instances describe VM_NAME
Replace
VM_NAME
with the name of the VM.
Terraform
To create a VM, you can use the google_compute_instance
resource
To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.
To generate the Terraform code, you can use the Equivalent code component in the Google Cloud console.- In the Google Cloud console, go to the VM instances page.
- Click Create instance.
- Specify the parameters you want.
- At the top or bottom of the page, click Equivalent code, and then click the Terraform tab to view the Terraform code.
C#
C#
Before trying this sample, follow the C# setup instructions in the Compute Engine quickstart using client libraries. For more information, see the Compute Engine C# API reference documentation.
To authenticate to Compute Engine, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Go
Go
Before trying this sample, follow the Go setup instructions in the Compute Engine quickstart using client libraries. For more information, see the Compute Engine Go API reference documentation.
To authenticate to Compute Engine, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Java
Before trying this sample, follow the Java setup instructions in the Compute Engine quickstart using client libraries. For more information, see the Compute Engine Java API reference documentation.
To authenticate to Compute Engine, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Node.js
Before trying this sample, follow the Node.js setup instructions in the Compute Engine quickstart using client libraries. For more information, see the Compute Engine Node.js API reference documentation.
To authenticate to Compute Engine, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
PHP
Before trying this sample, follow the PHP setup instructions in the Compute Engine quickstart using client libraries. For more information, see the Compute Engine PHP API reference documentation.
To authenticate to Compute Engine, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
Before trying this sample, follow the Python setup instructions in the Compute Engine quickstart using client libraries. For more information, see the Compute Engine Python API reference documentation.
To authenticate to Compute Engine, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Ruby
Before trying this sample, follow the Ruby setup instructions in the Compute Engine quickstart using client libraries. For more information, see the Compute Engine Ruby API reference documentation.
To authenticate to Compute Engine, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
REST
- Select a public image. Make a note of the name of the image or image family and the name of the project containing the image.
Use the
instances.insert
method to create a VM from an image family or from a specific version of an OS image:POST https://compute.googleapis.com/compute/v1/projects/
PROJECT_ID
/zones/ZONE
/instances { "machineType":"zones/MACHINE_TYPE_ZONE/machineTypes/MACHINE_TYPE", "name":"VM_NAME
", "disks":[ { "initializeParams":{ "sourceImage":"projects/IMAGE_PROJECT/global/images/IMAGE" }, "boot":true } ], "networkInterfaces":[ { "network":"global/networks/NETWORK_NAME" } ], "shieldedInstanceConfig":{ "enableSecureBoot":"ENABLE_SECURE_BOOT" } }Replace the following:
PROJECT_ID
: ID of the project to create the VM inZONE
: zone to create the VM inMACHINE_TYPE_ZONE
: zone containing the machine type to use for the new VMMACHINE_TYPE
: machine type, predefined or custom, for the new VMVM_NAME
: name of the new VMIMAGE_PROJECT
: project containing the image
For example, if you specifydebian-10
as the image family, specifydebian-cloud
as the image project.IMAGE
: specify one of the following:IMAGE
: a specific version of a public imageFor example,
"sourceImage": "projects/debian-cloud/global/images/debian-10-buster-v20200309"
IMAGE_FAMILY
: an image familyThis creates the VM from the most recent, non-deprecated OS image. For example, if you specify
"sourceImage": "projects/debian-cloud/global/images/family/debian-10"
, Compute Engine creates a VM from the latest version of the OS image in theDebian 10
image family.
NETWORK_NAME
: the VPC network that you want to use for the VM. You can specifydefault
to use your default network.ENABLE_SECURE_BOOT
: Optional: If you chose an image that supports Shielded VM features, Compute Engine, by default, enables the virtual trusted platform module (vTPM) and integrity monitoring. Compute Engine does not enable Secure Boot by default.If you specify
true
forenableSecureBoot
, Compute Engine creates a VM with all three Shielded VM features enabled. After Compute Engine starts your VM, to modify Shielded VM options, you must stop the VM.
Create a bare metal instance from a public image
Google, open source communities, and third-party vendors provide and maintain public OS images. By default, all Google Cloud projects can create bare metal instances using supported public OS images. However, if your Google Cloud project has a defined list of trusted images, you can use only the images on that list to create a bare metal instance.
Console
In the Google Cloud console, go to the Create an instance page.
If prompted, select your project and click Continue. The Create an instance page appears and displays the Machine configuration pane.
In the Machine configuration pane, do the following:
- In the Name field, specify a name for your instance. For more information, see Resource naming convention.
Optional: In the Zone field, select a zone for this instance. If you choose a zone that doesn't have any available bare metal servers, you are prompted to choose a different zone.
The default selection is Any. If you don't change this default selection, then Google automatically chooses a zone for you based on machine type and availability.
Select your machine family and series by doing one of the following:
- For C3 bare metal series, select General purpose as the machine family and then, in the Series column, select C3.
- For X4 bare metal series, select Memory optimized as the machine family and then, in the Series column, select X4.
In the Machine type section, click the list. In the filter menu, type in
metal
and then select one of the available machine types.
In the navigation menu, click OS and storage. In the Operating system and storage pane that appears, configure your boot disk by doing the following:
- Click Change. The Boot disk pane appears and displays the Public images tab.
- In the Operating system list, select the OS type.
- In the Version list, select the OS version.
- In the Boot disk type list, select the type of the boot disk.
- In the Size (GB) field, specify the size of the boot disk.
- Optional: For Hyperdisk Balanced boot disks, specify values for the Provisioned IOPS and Provisioned throughput fields.
- Optional: For advanced configuration options, expand the Show advanced configurations section.
To confirm your boot disk options and return to the Operating system and storage pane, click Select.
In the navigation menu, click Networking. In the Networking pane that appears, do the following:
- Go to the Firewall section.
To permit HTTP or HTTPS traffic to the instance, select Allow HTTP traffic or Allow HTTPS traffic.
The Compute Engine adds a network tag to your instance and creates the corresponding ingress firewall rule that allows all incoming traffic on
tcp:80
(HTTP) ortcp:443
(HTTPS). The network tag associates the firewall rule with the instance. For more information, see Firewall rules overview in the Cloud Next Generation Firewall documentation.In the Network performance configuration section, verify that the Network interface card field is set to IDPF.
In the navigation menu, click Advanced. In the Advanced pane that that appears, do the following:
- Expand the
Terminate instance
.
VM provisioning model advanced settings section. Verify that the
On host maintenance field is set to
- Expand the
Optional. Specify any other configuration parameters of your choice. For more information about custom configuration options, see Create and start an instance.
To create and start the bare metal instance, click Create.
gcloud
- Select a public image that supports bare metal instances. Make a note of the name of the image or image family and the name of the project containing the image.
Use the
gcloud compute instances create
command to create a bare metal instance from an image family or from a specific version of an OS image.gcloud compute instances create INSTANCE_NAME \ --zone=ZONE \ --machine-type=MACHINE_TYPE \ --network-interface=nic-type=IDPF \ --maintenance-policy=TERMINATE \ --create-disk=boot=yes,type=hyperdisk-balanced,image=projects/IMAGE_PROJECT/global/images/IMAGE,provisioned-iops=IOPS,provisioned-throughput=THROUGHPUT,size=SIZE \ --no-shielded-secure-boot
Replace the following:
INSTANCE_NAME
: a name for the new bare metal instanceZONE
: zone to create the bare metal instance inMACHINE_TYPE
: the bare metal machine type to use for the instance. The name of the machine type must end in-metal
.To get a list of the machine types available in a zone, use the
gcloud compute machine-types list
command with the--zones
flag.IMAGE_PROJECT
: the image project that contains the imageIMAGE
: specify one of the following:- A specific version of the OS image—for example,
sles-15-sp4-sap-v20240208-x86-6
. - An image family, which must be
formatted as
family/IMAGE_FAMILY
. This creates the instance from the most recent, non-deprecated OS image. For example, if you specifyfamily/sles-15-sp4-sap
, Compute Engine creates a bare metal instance from the latest version of the OS image in the SUSE Linux Enterprise Server 15 SP4 image family. For more information about using image families, see Image families best practices.
- A specific version of the OS image—for example,
IOPS
: Optional: the highest number of I/O operations per second (IOPS) that the disk can handle.THROUGHPUT
: Optional: an integer that represents the highest throughput, measured in MiB per second, that the disk can handle.SIZE
: Optional: the size of the new disk. The value must be a whole number. The default unit of measurement is GiB.
Verify that Compute Engine created the instance:
gcloud compute instances describe INSTANCE_NAME
Replace
INSTANCE_NAME
with the name of the new instance.
REST
- Select a public image that supports bare metal instances. Make a note of the name of the image or image family and the name of the project containing the image.
Use the
instances.insert
method to create a bare metal instance from an image family or from a specific version of an OS image:POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances { "machineType": "projects/PROJECT_ID/zones/MACHINE_TYPE_ZONE/machineTypes/MACHINE_TYPE", "name": "INSTANCE_NAME", "disks": [ { "boot": true, "initializeParams": { "diskSizeGb": "DISK_SIZE", "diskType": "hyperdisk-balanced", "provisionedIops": "IOPS_LIMIT", "provisionedThroughput": "THROUGHPUT_LIMIT", "sourceImage": "projects/IMAGE_PROJECT/global/images/IMAGE" } } ], "networkInterfaces": [ { "nicType": "IDPF" } ], "scheduling": { "onHostMaintenance": "TERMINATE" } }
Replace the following:
PROJECT_ID
: ID of the project to create the bare metal instance inZONE
: zone to create the bare metal instance inMACHINE_TYPE_ZONE
: zone that contains the machine type to use for the new bare metal instanceMACHINE_TYPE
: the machine type to use for the instance. The name of the machine type must end in-metal
.INSTANCE_NAME
: name of the new instanceDISK_SIZE
: disk size in GiBIOPS_LIMIT
: the number of I/O operations per second that you want to provision for the disk.THROUGHPUT_LIMIT
: an integer that represents the throughput, measured in MB per second, that you want to provision for the disk.IMAGE_PROJECT
: the image project that contains the imageIMAGE
: specify one of the following:- A specific version of the OS image—for example,
sles-15-sp4-sap-v20240208-x86-6
. - An image family, which must be
formatted as
family/IMAGE_FAMILY
. This creates the instance from the most recent, non-deprecated OS image. For example, if you specifyfamily/sles-15-sp4-sap
, Compute Engine creates a bare metal instance from the latest version of the OS image in the SUSE Linux Enterprise Server 15 SP4 image family. For more information about using image families, see Image families best practices.
- A specific version of the OS image—for example,
What's next
- Learn more about images.
- Learn how to check the status of an instance to see when it is ready to use.
- Learn how to connect to your instance.