Connect to a TPU VM without a public IP address
If your organization has a constraints/compute.vmExternalIpAccess organization
policy constraint, you need to create TPU VMs that don't have an external IP
address. To connect to a TPU VM without an external IP address, you need to:
- Enable Private Google Access for the subnet where you will create a TPU VM.
- Grant
roles/iap.tunnelResourceAccessorandroles/tpu.adminto users who will connect to the TPU VMs. - Create a TPU VM without a public IP address.
- Connect to your TPU VM using
--tunnel-through-iapoption.
Enable Private Google Access
To use an IAP, you must enable Private Google Access which lets you connect to VMs that don't have external IP addresses. In the following command replace your-subnet with the name of the subnet where you will create the TPU VM and your-region with the region where the TPU VM will be located.
gcloud compute networks subnets update your-subnet \ --region=your-region \ --enable-private-ip-google-access
Grant permissions
Users that need to connect to the TPU VMs using SSH that don't have public IP addresses must be granted the iap.tunnelResourceAccessor role. For more information about granting a role, see Granting an IAM Role.
Create a TPU VM without a public IP address
The following command shows how to create a TPU VM with no public IP address.
gcloud compute tpus tpu-vm create tpu-vm-name \ --zone $ZONE \ --project your-project \ --internal-ips \ --version tpu-vm-tf-2.17.1-pjrt \ --accelerator-type v2-8 \ --subnetwork your-subnet \
Connect to your TPU VM using SSH with IAP tunneling
The following command shows how to connect to a TPU VM using IAP tunneling.
gcloud alpha compute tpus tpu-vm ssh tpu-vm-name --tunnel-through-iap