Connect to a TPU VM without a public IP address

If your organization has a constraints/compute.vmExternalIpAccess organization policy constraint, you need to create TPU VMs that don't have an external IP address. To connect to a TPU VM without an external IP address, you need to:

  1. Enable Private Google Access for the subnet where you will create a TPU VM.
  2. Grant roles/iap.tunnelResourceAccessor and roles/tpu.admin to users who will connect to the TPU VMs.
  3. Create a TPU VM without a public IP address.
  4. Connect to your TPU VM using --tunnel-through-iap option.

Enable Private Google Access

To use an IAP, you must enable Private Google Access which lets you connect to VMs that don't have external IP addresses. In the following command replace your-subnet with the name of the subnet where you will create the TPU VM and your-region with the region where the TPU VM will be located.

gcloud compute networks subnets update your-subnet \
--region=your-region \
--enable-private-ip-google-access

Grant permissions

Users that need to connect to the TPU VMs using SSH that don't have public IP addresses must be granted the iap.tunnelResourceAccessor role. For more information about granting a role, see Granting an IAM Role.

Create a TPU VM without a public IP address

The following command shows how to create a TPU VM with no public IP address.

gcloud compute tpus tpu-vm create tpu-vm-name \
  --zone $ZONE \
  --project your-project \
  --internal-ips \
  --version tpu-vm-tf-2.17.1-pjrt \
  --accelerator-type v2-8 \
  --subnetwork your-subnet \

Connect to your TPU VM using SSH with IAP tunneling

The following command shows how to connect to a TPU VM using IAP tunneling.

gcloud alpha compute tpus tpu-vm ssh tpu-vm-name --tunnel-through-iap