Stay organized with collections
Save and categorize content based on your preferences.
Connect to a TPU VM without a public IP address
If your organization has a constraints/compute.vmExternalIpAccess organization
policy constraint, you need to create TPU VMs that don't have an external IP
address. To connect to a TPU VM without an external IP address, you need to:
Grant roles/iap.tunnelResourceAccessor and roles/tpu.admin to users who
will connect to the TPU VMs.
Create a TPU VM without a public IP address.
Connect to your TPU VM using --tunnel-through-iap option.
Enable Private Google Access
To use an IAP, you must enable Private Google Access which lets you connect
to VMs that don't have external IP addresses. In the following command replace
your-subnet with the name of the subnet where you will create the TPU
VM and your-region with the region where the TPU VM will be located.
Users that need to connect to the TPU VMs using SSH that don't have public IP
addresses must be granted the iap.tunnelResourceAccessor role. For more
information about granting a role, see
Granting an IAM Role.
Create a TPU VM without a public IP address
The following command shows how to create a TPU VM with no public IP address.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-11 UTC."],[],[],null,["# Connect to a TPU VM without a public IP address\n===============================================\n\nIf your organization has a `constraints/compute.vmExternalIpAccess` organization\npolicy constraint, you need to create TPU VMs that don't have an external IP\naddress. To connect to a TPU VM without an external IP address, you need to:\n\n1. Enable [Private Google Access](/vpc/docs/private-google-access) for the subnet where you will create a TPU VM.\n2. Grant `roles/iap.tunnelResourceAccessor` and `roles/tpu.admin` to users who will connect to the TPU VMs.\n3. Create a TPU VM without a public IP address.\n4. Connect to your TPU VM using `--tunnel-through-iap` option.\n\nEnable Private Google Access\n----------------------------\n\nTo use an IAP, you must enable Private Google Access which lets you connect\nto VMs that don't have external IP addresses. In the following command replace\n\u003cvar translate=\"no\"\u003eyour-subnet\u003c/var\u003e with the name of the subnet where you will create the TPU\nVM and \u003cvar translate=\"no\"\u003eyour-region\u003c/var\u003e with the region where the TPU VM will be located. \n\n```bash\ngcloud compute networks subnets update your-subnet \\\n--region=your-region \\\n--enable-private-ip-google-access\n```\n\nGrant permissions\n-----------------\n\nUsers that need to connect to the TPU VMs using SSH that don't have public IP\naddresses must be granted the iap.tunnelResourceAccessor role. For more\ninformation about granting a role, see\n[Granting an IAM Role](/iam/docs/granting-changing-revoking-access#grant-single-role).\n\nCreate a TPU VM without a public IP address\n-------------------------------------------\n\nThe following command shows how to create a TPU VM with no public IP address. \n\n```bash\ngcloud compute tpus tpu-vm create tpu-vm-name \\\n --zone $ZONE \\\n --project your-project \\\n --internal-ips \\\n --version tpu-vm-tf-2.17.1-pjrt \\\n --accelerator-type v2-8 \\\n --subnetwork your-subnet \\\n```\n\nConnect to your TPU VM using SSH with IAP tunneling\n---------------------------------------------------\n\nThe following command shows how to connect to a TPU VM using IAP tunneling. \n\n```bash\ngcloud alpha compute tpus tpu-vm ssh tpu-vm-name --tunnel-through-iap\n```"]]
