This is explains how to create a virtual machine (VM) instance by using a boot disk image, a boot disk snapshot, or a container image. Some images support Shielded VM features, which offer security features such as UEFI-compliant firmware, Secure Boot, and vTPM-protected Measured Boot. On Shielded VMs, vTPM and integrity monitoring are enabled by default.
While creating your VM, you can create one or more disks for it. You can also add more disks to the VM after it’s created. Compute Engine automatically starts the VM instance after you create it.
While creating a VM, you can also add multiple network interfaces. To mitigate your VM’s exposure to threats on the internet, you can omit the external IP address when you add a network interface to the instance. In such cases, the VM is accessible only from other VMs in the same VPC network or a linked network unless you configure Cloud NAT.
For more specific or complicated VM creation, see the following resources:
- Creating Windows Server instances
- Creating SQL Server instances
- Creating instances on sole-tenant nodes
- Creating a VM instance with a custom hostname
- Reserving instances and consuming reserved instances
- Creating VM instances that use the gVNIC network interface
- Configuring a VM instance with higher bandwidth
- Creating a VM instance with attached GPUs
- Creating a VM instance with a high-performance computing (HPC) image
- Using the bulk instance API
- Creating a VM instance with an attached instance schedule
If you are bringing an existing license, see Bringing your own license with sole-tenant nodes.
Before you begin
- If you want to use the command-line examples in this guide, do the following:
- Install or update to the latest version of the gcloud command-line tool.
- Set a default region and zone.
- If you want to use the API examples in this guide, set up API access.
- When creating VMs from images or disks by using the
gcloud
command-line tool or the Compute Engine API, there’s a limit of 20 VM instances per second. If you need to create a higher number of VMs per second, request a higher quota limit for the Images resource.
Create a VM instance from an image
This section explains how to create a VM from a public OS image or a custom image. A VM contains a bootloader, a boot file system, and an OS image.
View a list of public images available on Compute Engine
Before you create a VM by using a public image, review the list of public images that are available on Compute Engine.
For more information about the features available with each public image, see Feature support by operating system.ConsolegcloudAPI
- In the Google Cloud Console, go to the Images page.Go to Images
Create a VM instance from a public image
Google, open source communities, and third-party vendors provide and maintain public OS images. By default, all Google Cloud projects can create VMs from public OS images. However, if your Cloud project has a defined list of trusted images, you can use only the images on that list to create a VM.
If you create a Shielded VM image with a local SSD, you can’t shield data with integrity monitoring or the virtual platform trusted module (vTPM).Permissions required for this taskConsolegcloudAPIPython
- In the Google Cloud Console, go to the VM instances page.Go to VM instances
- Select your project and click Continue.
- Click Create instance.
- Specify a Name for your VM. For more information, see Resource naming convention.
- Optional: Change the Zone for this VM. Compute Engine randomizes the list of zones within each region to encourage use across multiple zones.
- Select a Machine configuration for your VM.
- In the Boot disk section, click Change, and then do the following:
- On the Public images tab, choose the following:
- Operating system
- OS version
- Boot disk type
- Boot disk size
- Optional: For advanced configuration options, click Show advanced configuration.
- To confirm your boot disk options, click Select.
- On the Public images tab, choose the following:
- In the Firewall section, to permit HTTP or HTTPS traffic to the VM, select Allow HTTP traffic or Allow HTTPS traffic. When you select one of these, Compute Engine adds a network tag to your VM, which associates the firewall rule with the VM. Then, Compute Engine creates the corresponding ingress firewall rule that allows all incoming traffic on
tcp:80
(HTTP) ortcp:443
(HTTPS). - Optional: If you chose an OS image that supports Shielded VM features, you can modify the Shielded VM settings. To modify shielded VM settings, expand the Security section in the Networking, disks, security, management, sole tenancy section and do the following, as required:
- To turn on Secure Boot, select Turn on Secure Boot. Secure Boot is disabled by default.
- To turn off vTPM, clear the Turn on vTPM checkbox. vTPM is enabled by default. Disabling vTPM also disables integrity monitoring because integrity monitoring relies on data gathered by Measured Boot.
- To turn off integrity monitoring, clear the Turn on Integrity Monitoring checkbox. Integrity monitoring is enabled by default.
- To create and start the VM, click Create.
Create a VM from a custom image
A custom image belongs only to your project. To create a VM with a custom image, you must first create a custom image if you don’t already have one.Note: You must have access to the custom image to use it when you create a VM. By default, you have access to all custom images in your project. However, if your project has a defined list of trusted images, you can use only the images on that list to create a VM.Permissions required for this taskConsolegcloudAPI
- In the Google Cloud Console, go to the VM instances page.Go to VM instances
- Select your project and click Continue.
- Click Create instance.
- Specify a Name for your VM. For more information, see Resource naming convention.
- Optional: Change the Zone for this VM. Compute Engine randomizes the list of zones within each region to encourage use across multiple zones.
- Select a Machine configuration for your VM.
- In the Boot disk section, click Change, and then do the following:
- Select the Custom Images tab.
- To select the image project, click Select a project, and then do the following:
- Select the project that contains the image.
- Click Open.
- In the Image list, click the image that you want to import.
- Select the type and size of your boot disk.
- Optional: For advanced configuration options, click Show advanced configuration.
- To confirm your boot disk options, click Select.
- In the Firewall section, to permit HTTP or HTTPS traffic to the VM, select Allow HTTP traffic or Allow HTTPS traffic.The Cloud Console adds a network tag to your VM and creates the corresponding ingress firewall rule that allows all incoming traffic on
tcp:80
(HTTP) ortcp:443
(HTTPS). The network tag associates the firewall rule with the VM. For more information, see Firewall rules overview in the Virtual Private Cloud documentation. - To create and start the VM, click Create.
Create a VM instance with additional non-boot disks
- In the Google Cloud Console, go to the VM instances page.Go to VM instances
- Select your project and click Continue.
- Click Create instance.
- Specify a Name for your VM. For more information, see Resource naming convention.
- Optional: Change the Zone for this VM. Compute Engine randomizes the list of zones within each region to encourage use across multiple zones.
- Select a Machine configuration for your VM.
- In the Boot disk section, click Change, and then do the following:
- In the Public images tab, choose the following:
- Operating system
- OS version
- Boot disk type
- Boot disk size
- Optional: For advanced configuration options, click Show advanced configuration.
- To confirm your boot disk options, click Select.
- In the Public images tab, choose the following:
- In the Firewall section, to permit HTTP or HTTPS traffic to the VM, select Allow HTTP traffic or Allow HTTPS traffic. When you select one of these, Compute Engine adds a network tag to your VM, which associates the firewall rule with the VM. Then, Compute Engine creates the corresponding ingress firewall rule that allows all incoming traffic on
tcp:80
(HTTP) ortcp:443
(HTTPS). - To add non-boot disks to your VM, expand the Networking, disks, security, management, sole tenancy section, and then do the following:
- Expand the Disks section.
- Click Add new disk, and then do the following:
- Specify a disk Name, Type, Source type, and Size.
- In the Attachment settings section, select disk’s attachment Mode and the Deletion rule. For more information about adding new disks, see Creating and attaching a disk.
- Click Save.
- To create and start the VM, click Create.
Format and mount the disks before using them.
Create a VM instance from a shared image
If another user has shared an image with you, you can use the image to create a VM.Permissions required for this taskConsolegcloudAPI
- In the Google Cloud Console, go to the Create an instance page.Go to Create an instance
- Specify a Name for your VM. For more information, see Resource naming convention.
- Optional: Change the Zone for this VM. Compute Engine randomizes the list of zones within each region to encourage use across multiple zones.
- Select a Machine configuration for your VM.
- In the Boot disk section, click Change to configure your boot disk, and then do the following:
- Select the Custom Images tab.
- To select the image project, click Select a project, and then do the following:
- Select the project that contains the image.
- Click Open.
- In the Image list, click the image that you want to import.
- Select the type and size of your boot disk.
- To confirm your boot disk options, click Select.
- To permit HTTP or HTTPS traffic to the VM, in the Firewall section, select Allow HTTP traffic or Allow HTTPS traffic.The Cloud Console adds a network tag to your VM and creates the corresponding ingress firewall rule that allows all incoming traffic on
tcp:80
(HTTP) ortcp:443
(HTTPS). The network tag associates the firewall rule with the VM. For more information, see Firewall rules overview in the Virtual Private Cloud documentation. - To start and create a VM, click Create.
Create a VM instance from a snapshot
If you backed up a boot persistent disk with a snapshot, you can use that snapshot to create a VM.
To quickly create more than one VM with the same boot disk, create a custom image and, then create VMs from that image rather than from the snapshot.Important: If you create a VM from a disk snapshot based on a Shielded VM image, the original integrity policy baseline is lost and the first set of boot sequence measurements on the new VM is used as the new baseline. Because this new set of measurements is not verified, you must validate the boot integrity of the VM after you restore from a snapshot. You can do this by manually examining the boot log and verifying that the proper keys are loaded into the SecureBoot database, and that the expected kernel version is running. Also, secrets saved in the vTPM on the originating VM are not accessible on VMs restored from a snapshot of that VM.
Create a VM instance boot disk from a snapshot
You can restore a snapshot of a boot disk to a new boot disk when you create a VM.Permissions required for this taskConsolegcloudAPI
- In the Google Cloud Console, go to the VM instances page.Go to VM instances
- Select your project and click Continue.
- Click Create instance.
- Specify a Name for your VM. For more information, see Resource naming convention.
- Optional: Change the Zone for this VM. Compute Engine randomizes the list of zones within each region to encourage use across multiple zones.
- Select a Machine configuration for your VM.
- In the Boot disk section, click Change, and then do the following:
- Click the Snapshots tab.
- In the Snapshot list, click a snapshot.
- Specify the boot disk type and size.
- Optional: For advanced configuration options, click Show advanced configurations.
- To confirm your boot disk options, click Select.
- In the Firewall section, to permit HTTP or HTTPS traffic to the VM, select Allow HTTP traffic or Allow HTTPS traffic.The Cloud Console adds a network tag to your VM and creates the corresponding ingress firewall rule that allows all incoming traffic on
tcp:80
(HTTP) ortcp:443
(HTTPS). The network tag associates the firewall rule with the VM. For more information, see Firewall rules overview in the Virtual Private Cloud documentation. - To create and start the VM, click Create.
Restore non-boot snapshots to a new VM instance
Non-boot snapshots are backups of secondary persistent disks that your VM uses only for data storage. You can restore non-boot snapshots to new disks whenever you create a VM. Alternatively, you can also restore non-boot snapshots to an existing VM.
To restore non-boot snapshots to a new VM, follow these additional steps when you create a VM.Permissions required for this taskConsolegcloudAPI
When restoring non-boot snapshots to a new VM from the console, first create a disk from each snapshot. Then, attach the new disks when you create the VM.
- Restore each non-boot snapshot to a new disk.
- In the Google Cloud Console, go to the Disks page.Go to Disks
- Click Create disk.
- Specify a Name for your disk. For more information, see Resource naming convention.
- Select the Region and Zone for this disk. The disk and VM must be in the same zone.
- Select a disk Type.
- Under Source type, select Snapshot.
- Under the new Source snapshot field, select a non-boot snapshot that you want to restore to the new disk.
- To create the disk, click Create.
- In the Google Cloud Console, go to the VM instances page.Go to VM instances
- Select your project and click Continue.
- Click Create instance.
- Specify a Name for your VM. For more information, see Resource naming convention.
- Select the Region and Zone for this VM. The disk and VM must be in the same zone.
- Select a Machine type for your VM.
- If you want to allow incoming external traffic, change the Firewall rules for the VM.
- To attach disks to the VM, expand the Networking, disks, security, management, sole tenancy section, and then do the following:
- Expand the Disks section.
- Click Attach existing disk.
- In the Disk list, select a disk to attach to this VM.
- In the Attachment Setting section, select disk’s attachment Mode and the Deletion rule. For more information about adding new disks, see Creating and attaching a disk.
- Click Save.
- To create and start the VM, click Create.
Create a VM instance from a container image
To deploy and launch a container on a Compute Engine VM, specify a container image name and optional configuration parameters when you create the VM. Compute Engine creates the VM by using the latest version of the Container-optimized OS public image, which has Docker installed. Then, Compute Engine launches the container when the VM starts. For more information, see Deploying containers on VMs.
To create a VM from a container image, you must use the Cloud Console or gcloud
.Permissions required for this taskConsolegcloud
- In the Google Cloud Console, go to the VM instances page.Go to VM instances
- Select your project and click Continue.
- Click Create instance.
- Specify a Name for your VM. For more information, see Resource naming convention.
- In the Container section, click Deploy container.
- Specify the Container image to use. For example:
- To select an NGINX 1.12 container image from Cloud Launcher:
gcr.io/cloud-marketplace/google/nginx1:1.12
- To deploy an Apache container image from Docker Hub, always specify the full Docker image name:
docker.io/httpd:2.4
- To select an NGINX 1.12 container image from Cloud Launcher:
- Optional: Click Advanced container options. For more information, see Configuring options to run your container.
- Specify the Container image to use. For example:
- To create the VM, boot the VM, and launch the container, click Create.
Create a VM instance with access to other Google Cloud Services
If you plan to run an application on your VM that needs access to other Google Cloud services, create a service account before creating the VM, and then set up the VM to run as a service account. A service account is a special account whose credentials you can use in your application code to access other Google Cloud services.
For more information, see Service accounts.
Create a VM instance in a specific subnet
Permissions required for this task
By default, Google Cloud creates an auto mode VPC network called default
for each project. To use a different network or a subnet that you manually created in an auto mode or custom mode VPC network, you must specify the subnet when you create the VM.
While creating a VM in a subnet, consider these rules:
- If you don’t specify a network or subnet, Compute Engine uses the default VPC network and the auto subnet that’s in the same region as the VM.
- If you don’t specify a network, Compute Engine infers the network from the subnet specified.
- If you specify a network, you must specify a subnet and it must belong to the same network. Otherwise, VM creation fails.
Note: You must create the subnet that you want to use before you create the VM. For more information, see Adding a new subnet to an existing VPC network.ConsolegcloudAPI
- In the Google Cloud Console, go to the VM instances page.Go to VM instances
- Select your project and click Continue.
- Click Create instance.
- Specify a Name for your VM. For more information, see Resource naming convention.
- Optional: Change the Zone for this VM. Compute Engine randomizes the list of zones within each region to encourage use across multiple zones.
- In the Firewall section, to permit HTTP or HTTPS traffic to the VM, select Allow HTTP traffic or Allow HTTPS traffic.The Cloud Console adds a network tag to your VM and creates the corresponding ingress firewall rule that allows all incoming traffic on
tcp:80
(HTTP) ortcp:443
(HTTPS). The network tag associates the firewall rule with the VM. For more information, see Firewall rules overview in the Virtual Private Cloud documentation. - Expand the Networking, disks, security, management, sole tenancy section.
- Expand the Networking section.
- For Network interfaces, specify the network details:
- In the Network field, select the VPC network that contains the subnet you created.
- In the Subnet field, select the subnet for the VM to use.
- Click Done.
- To create and start the VM, click Create.
Troubleshooting
To find methods for resolving common VM creation errors, see Troubleshooting VM creation.
What’s next?
- Check the status of the VM to see when it’s ready to use.
- Learn how to use snapshots to back up your persistent disks.
- Learn more about images.
- Learn more about containers.
- Create and attach a non-boot storage disk to your VM to store your data separately from the boot disk.
- Create and start Windows Server or SQL Server instances.
- Refer to the
gcloud compute instances create
command. - Learn how to reserve resources in a specific zone.
- Connect to your VM instance.
Try it for yourself
If you’re new to Google Cloud, create an account to evaluate how Compute Engine performs in real-world scenarios. New customers also get $500 in free credits to run, test, and deploy workloads.