[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-08-11。"],[],[],null,["# Set up Shared VPC access\n\nGrant the required roles\n------------------------\n\nThe [Cloud Workstations Service\nAgent](/workstations/docs/service-accounts#workstations-service-agent) allows\nCloud Workstations perform service duties on your project. When you activated\nthe Cloud Workstations Service in your project, the service agent was\nautomatically created. To enable Cloud Workstations to use your Shared VPC\nnetwork and subnetwork, grant the Cloud Workstations Service Agent for your\nproject the [Compute Engine Network User\nrole](/compute/docs/access/iam#compute.networkUser)\n(`roles/compute.networkUser`) on the Shared VPC subnet.\n\n1. To retrieve the Cloud Workstations Service Agent for your project, use the\n following command:\n\n gcloud beta services identity create \\\n --service=workstations.googleapis.com \\\n --project=\u003cvar translate=\"no\"\u003eWORKSTATIONS_PROJECT_ID\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003eWORKSTATIONS_PROJECT_ID\u003c/var\u003e with the ID of the\n project where you will create your workstations cluster.\n\n The Cloud Workstations Service Agent uses the following format: \n\n `service-`\u003cvar translate=\"no\"\u003e$WORKSTATIONS_PROJECT_NUMBER\u003c/var\u003e`@gcp-sa-workstations.iam.gserviceaccount.com`.\n2. Grant the Cloud Workstations Service Agent the [Compute Engine Network\n User role](/compute/docs/access/iam#compute.networkUser)\n (`roles/compute.networkUser`) role on the Shared VPC subnet.\n\nCreate workstation clusters using a Shared VPC\n----------------------------------------------\n\nWhen you [create your workstation\ncluster](/workstations/docs/create-configuration)\nin the Google Cloud console, specify the Shared VPC network and subnetwork.\nThis step is only possible if the subnet is shared with the user using the\nconsole. For more information, see [Provision\nShared VPC](/vpc/docs/provisioning-shared-vpc)\n.\n\nFor general information about Shared VPC access, see\n[Shared VPC](/vpc/docs/shared-vpc)\n.\n\nWhen you create a workstation cluster, Cloud Workstations associates the cluster\nwith a particular subnet and all workstations are placed in that subnet. To\nenable VPC Flow Logs, make sure that you turn on logging for\nthat subnet. For more information, see\n[Enable VPC Flow Logs for an existing subnet](/vpc/docs/using-flow-logs#enable-logging-existing).\n| **Tip:** When using Shared VPC, make sure that you add and configure firewall rules for the Shared VPC network. For more information, see [Configure firewall\n| rules](/workstations/docs/configure-firewall-rules) .\n\nWhat's next\n-----------\n\n- [Troubleshoot policy and access problems](/vpc/docs/troubleshooting-policy-and-access-problems)\n- [Configure VPC Service Controls and private clusters](/workstations/docs/configure-vpc-service-controls-private-clusters)\n- [Enable VPC Flow Logs](/vpc/docs/using-flow-logs#enabling-vpc-flow-logs)"]]
