Connect to a TPU VM without a public IP address

If your organization has a constraints/compute.vmExternalIpAccess organization policy constraint, you need to create TPU VMs that do not have an external IP address. To connect to a TPU VM without an external IP address, you need to:

1. Enable Private Google Access for the subnet where you will create a TPU VM.
2. Grant roles/iap.tunnelResourceAccessor and roles/tpu.admin to users who will connect to the TPU VMs.
3. Create a TPU VM without a public IP address.
4. SSH into your TPU VM using --tunnel-through-iap.

Enable Private Service Access

To use an IAP, you must enable Private Google Access which allows you to connect to VMs that do not have external IP addresses. In the following command replace your-subnet with the name of the subnet where you will create the TPU VM and your-region with the region where the TPU VM will be located.

gcloud compute networks subnets update your-subnet \
--region=your-region \
--enable-private-ip-google-access

Grant permissions

Users that need to SSH into TPU VMs that do not have public IP addresses must be granted the iap.tunnelResourceAccessor role. For more information about granting a role, see Granting an IAM Role.

Create a TPU VM without a public IP address

The following command shows how to create a TPU VM with no public IP address.

gcloud compute tpus tpu-vm create tpu-vm-name \
  --zone $ZONE \
  --project your-project \
  --internal-ips \
  --version tpu-vm-tf-2.18.0-pjrt \
  --accelerator-type v2-8 \
  --subnetwork your-subnet \

SSH into your TPU VM using IAP tunneling

The following command shows how to SSH into a TPU VM using IAP tunneling.

gcloud alpha compute tpus tpu-vm ssh tpu-vm-name --tunnel-through-iap