Stay organized with collections
Save and categorize content based on your preferences.
Grant the required roles
The Cloud Workstations Service
Agent allows
Cloud Workstations perform service duties on your project. When you activated
the Cloud Workstations Service in your project, the service agent was
automatically created. To enable Cloud Workstations to use your Shared VPC
network and subnetwork, grant the Cloud Workstations Service Agent for your
project the Compute Engine Network User
role
(roles/compute.networkUser) on the Shared VPC subnet.
To retrieve the Cloud Workstations Service Agent for your project, use the
following command:
Replace WORKSTATIONS_PROJECT_ID with the ID of the
project where you will create your workstations cluster.
The Cloud Workstations Service Agent uses the following format: service-$WORKSTATIONS_PROJECT_NUMBER@gcp-sa-workstations.iam.gserviceaccount.com.
Grant the Cloud Workstations Service Agent the Compute Engine Network
User role
(roles/compute.networkUser) role on the Shared VPC subnet.
Create workstation clusters using a Shared VPC
When you create your workstation
cluster
in the Google Cloud console, specify the Shared VPC network and subnetwork.
This step is only possible if the subnet is shared with the user using the
console. For more information, see Provision
Shared VPC
.
For general information about Shared VPC access, see
Shared VPC
.
When you create a workstation cluster, Cloud Workstations associates the cluster
with a particular subnet and all workstations are placed in that subnet. To
enable VPC Flow Logs, make sure that you turn on logging for
that subnet. For more information, see
Enable VPC Flow Logs for an existing subnet.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Set up Shared VPC access\n\nGrant the required roles\n------------------------\n\nThe [Cloud Workstations Service\nAgent](/workstations/docs/service-accounts#workstations-service-agent) allows\nCloud Workstations perform service duties on your project. When you activated\nthe Cloud Workstations Service in your project, the service agent was\nautomatically created. To enable Cloud Workstations to use your Shared VPC\nnetwork and subnetwork, grant the Cloud Workstations Service Agent for your\nproject the [Compute Engine Network User\nrole](/compute/docs/access/iam#compute.networkUser)\n(`roles/compute.networkUser`) on the Shared VPC subnet.\n\n1. To retrieve the Cloud Workstations Service Agent for your project, use the\n following command:\n\n gcloud beta services identity create \\\n --service=workstations.googleapis.com \\\n --project=\u003cvar translate=\"no\"\u003eWORKSTATIONS_PROJECT_ID\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003eWORKSTATIONS_PROJECT_ID\u003c/var\u003e with the ID of the\n project where you will create your workstations cluster.\n\n The Cloud Workstations Service Agent uses the following format: \n\n `service-`\u003cvar translate=\"no\"\u003e$WORKSTATIONS_PROJECT_NUMBER\u003c/var\u003e`@gcp-sa-workstations.iam.gserviceaccount.com`.\n2. Grant the Cloud Workstations Service Agent the [Compute Engine Network\n User role](/compute/docs/access/iam#compute.networkUser)\n (`roles/compute.networkUser`) role on the Shared VPC subnet.\n\nCreate workstation clusters using a Shared VPC\n----------------------------------------------\n\nWhen you [create your workstation\ncluster](/workstations/docs/create-configuration)\nin the Google Cloud console, specify the Shared VPC network and subnetwork.\nThis step is only possible if the subnet is shared with the user using the\nconsole. For more information, see [Provision\nShared VPC](/vpc/docs/provisioning-shared-vpc)\n.\n\nFor general information about Shared VPC access, see\n[Shared VPC](/vpc/docs/shared-vpc)\n.\n\nWhen you create a workstation cluster, Cloud Workstations associates the cluster\nwith a particular subnet and all workstations are placed in that subnet. To\nenable VPC Flow Logs, make sure that you turn on logging for\nthat subnet. For more information, see\n[Enable VPC Flow Logs for an existing subnet](/vpc/docs/using-flow-logs#enable-logging-existing).\n| **Tip:** When using Shared VPC, make sure that you add and configure firewall rules for the Shared VPC network. For more information, see [Configure firewall\n| rules](/workstations/docs/configure-firewall-rules) .\n\nWhat's next\n-----------\n\n- [Troubleshoot policy and access problems](/vpc/docs/troubleshooting-policy-and-access-problems)\n- [Configure VPC Service Controls and private clusters](/workstations/docs/configure-vpc-service-controls-private-clusters)\n- [Enable VPC Flow Logs](/vpc/docs/using-flow-logs#enabling-vpc-flow-logs)"]]
