Creating instance templates

This page describes how to create and manage instance templates. Instance templates let you define the machine type, boot disk image or container image, network, and other instance properties to use when creating virtual machine (VM) instances. You can use instance templates to create instances in a managed instance group (MIG) or to create individual instances.

Before you begin

If you want to use the command-line examples in this guide:
1. Install or update to the latest version of the gcloud command-line tool.
2. Set a default region and zone.
If you want to use the API examples in this guide, set up API access.

Limitations

Shared VPC on interfaces other than nic0 for instance templates is supported in gcloud tool and the API, but not in Cloud Console.

Creating a new instance template

Most of the instance properties that you can define in a regular API request to create an individual VM instance can be defined in the instance template, including any instance metadata, startup scripts, persistent disks, service accounts, and so on.

At a minimum, the same required properties for creating an instance are also required to create an instance template. For a list of the required fields, see the instanceTemplates.insert reference.

Create an instance template through the Google Cloud Console, gcloud command-line tool, or the API.

Permissions required for this task

To perform this task, you must have the following permissions:

All permissions required to call the instanceTemplates.insert method.

Console

In the Cloud Console, go to the Instance templates page.

Go to Instance templates
Click Create instance template.
Enter values for the following fields, or accept the default values. The default values change based on the machine family that you select.
- Machine type
- Image
- Boot disk
- VPC network
- IP address
Optional: Change the instance's Shielded VM settings, if you chose an image that supports Shielded VM:
1. Under Management, Security, Disks, Networking, Sole Tenancy, click the Security tab.
2. If you want to disable Secure Boot, clear the Turn on Secure Boot checkbox. Secure Boot helps protect your VM instances against boot-level and kernel-level malware and rootkits. For more information, see Secure boot.
3. If you want to disable the virtual trusted platform module (vTPM), clear the Turn on vTPM checkbox. The vTPM enables Measured boot, which validates the VM pre-boot and boot integrity. For more information, see Virtual Trusted Platform Module (vTPM).
  
  Important: Disabling the vTPM also disables integrity monitoring because integrity monitoring relies on data gathered by Measured boot.
4. If you want to disable integrity monitoring, uncheck the Turn on Integrity Monitoring checkbox. Integrity monitoring lets you monitor the boot integrity of your Shielded VM instances by using Cloud Monitoring. For more information, see Integrity monitoring.
Optional: Under Management, Security, Disks, Networking, Sole Tenancy, click the tabs to further customize your template. For example, you can add up to 15 secondary non-boot disks.
Optional: Click Equivalent REST to view the REST request body, which includes the JSON representation of your instance template.
Click Create to create the template.

gcloud

In gcloud compute, create an instance template by using the instance-templates create command. Replace INSTANCE_TEMPLATE_NAME with the name of the instance template.

gcloud compute instance-templates create INSTANCE_TEMPLATE_NAME

If you do not provide explicit template settings, gcloud compute uses the following default values:

Machine type: n1-standard-1
Image: The latest Debian image
Boot disk: A new standard boot disk named after the instance
Network: The default VPC network
IP address: An ephemeral external IP address

You can also explicitly provide these configuration settings. For example:

gcloud compute instance-templates create example-template-custom \
    --machine-type e2-standard-4 \
    --image-family debian-10 \
    --image-project debian-cloud \
    --boot-disk-size 250GB

You can add up to 15 secondary non-boot disks. Specify the --create-disk flag for each secondary disk you create. To create secondary disks from a public or stock image, specify the image and image-project properties in the --create-disk flag. To create a blank disk, do not include these properties. Optionally, include properties for the disk size and type.

gcloud compute instance-templates create INSTANCE_TEMPLATE_NAME \
    --create-disk image=DISK_IMAGE,image-project=DISK_IMAGE_PROJECT,size=SIZE_GB

Replace the following:

INSTANCE_TEMPLATE_NAME: The name for the new template.
DISK_IMAGE: The source image for the secondary disk. For a list of available images, run gcloud compute images list. For blank disks, do not specify a disk image or image project.
DISK_IMAGE_PROJECT: The image project to which the disk image belongs. For blank disks, do not specify a disk image or image project.
SIZE_GB: The size of the secondary disk.

If you chose an image that supports Shielded VM, you can optionally change the instance's Shielded VM settings using one of the following flags:

--no-shielded-secure-boot: Disable Secure Boot. Secure Boot helps protect your VM instances against boot-level and kernel-level malware and rootkits. For more information, see Secure Boot.
--no-shielded-vtpm: Disable the virtual trusted platform module (vTPM). The vTPM enables Measured Boot, which validates the VM pre-boot and boot integrity. For more information, see Virtual Trusted Platform Module (vTPM).

Important: Disabling the vTPM also disables integrity monitoring because integrity monitoring relies on data gathered by Measured Boot.
--no-shielded-integrity-monitoring: Disable integrity monitoring. Integrity monitoring lets you monitor the boot integrity of your Shielded VM instances using Cloud Monitoring. For more information, see Integrity monitoring.

You can see a list of available flags in the gcloud compute reference.

A template with the default configuration settings might look like the following:

gcloud compute instance-templates describe example-template

creationTimestamp: '2019-09-10T16:18:32.042-07:00'
description: ''
id: '6057583701980539406'
kind: compute#instanceTemplate
name: example-template
properties:
  canIpForward: false
  disks:
  - autoDelete: true
    boot: true
    initializeParams:
      sourceImage: https://compute.googleapis.com/compute/v1/projects/debian-cloud/global/images/family/debian-10
    kind: compute#attachedDisk
    mode: READ_WRITE
    type: PERSISTENT
  machineType: e2-standard-2
  networkInterfaces:
  - accessConfigs:
    - kind: compute#accessConfig
      name: external-nat
      type: ONE_TO_ONE_NAT
    network: https://compute.googleapis.com/compute/v1/projects/myproject/global/networks/default
  scheduling:
    automaticRestart: true
    onHostMaintenance: MIGRATE
  serviceAccounts:
  - email: default
    scopes:
    - https://www.googleapis.com/auth/devstorage.read_only
selfLink: https://compute.googleapis.com/compute/v1/projects/myproject/global/instanceTemplates/example-template

API

In the instance template API, you must explicitly define all of the required configuration fields as described in the instanceTemplates().insert documentation. For example, an instance template with the minimal required fields looks like the following:

{
"name": "example-template",
"properties": {
  "machineType": "e2-standard-4",
  "networkInterfaces": [
    {
      "network": "global/networks/default",
      "accessConfigs":
      [
        {
          "name": "external-IP",
          "type": "ONE_TO_ONE_NAT"
        }
      ]
    }
  ],
  "disks":
  [
    {
      "type": "PERSISTENT",
      "boot": true,
      "mode": "READ_WRITE",
      "initializeParams":
      {
        "sourceImage": "projects/debian-cloud/global/images/family/debian-10"
      }
    }
  ]
  }
}

For the disks property, you must either provide the initializeParams property to create persistent boot disks for each instance, or you can provide the source property to attach an existing persistent boot disk. If you attach an existing boot disk, you can only create one instance from your template.

You can add up to 15 secondary non-boot disks by using the initializeParams property for each additional disk. Create additional disks with a public or a private image. To add blank disks, do not specify a sourceImage. Optionally, you can include the diskSizeGb, diskType, and labels properties.

If you chose an image that supports Shielded VM, you can optionally change the instance's Shielded VM settings by using the following Boolean request body items:

enableSecureBoot: Enable or disable Secure Boot. Secure Boot helps protect your VM instances against boot-level and kernel-level malware and rootkits. For more information, see Secure Boot.
enableVtpm: Enable or disable the virtual trusted platform module (vTPM). The vTPM enables Measured Boot, which validates the VM pre-boot and boot integrity. For more information, see Virtual Trusted Platform Module (vTPM).
Important: Disabling the vTPM also disables integrity monitoring because integrity monitoring relies on data gathered by Measured Boot.
enableIntegrityMonitoring: Enable or disable integrity monitoring. Integrity monitoring lets you monitor and verify the runtime boot integrity of your Shielded VM instances by using Cloud Monitoring reports. For more information, see Integrity monitoring.

For all possible fields, see the reference documentation.

Creating an instance template based on an existing instance

You can use the Compute Engine API or gcloud tool to save the configuration of an existing VM instance as an instance template.

You can override how the source disks are defined in the template.

If you need to override other properties, first create an instance template based on an existing instance, then create a similar template with additional overrides.

Permissions required for this task

To perform this task, you must have the following permissions:

All permissions required to call the instanceTemplates.insert method.

gcloud

For a list of all the flags, see the gcloud instance-templates create command.

gcloud compute instance-templates create [INSTANCE_TEMPLATE_NAME] \
    --source-instance=[SOURCE_INSTANCE] \
    --source-instance-zone=[SOURCE_INSTANCE_ZONE] \
    [--configure-disk= \
        device-name=[SOURCE_DISK], \
        instantiate-from=[INSTANTIATE_FROM], \
        auto-delete=[AUTO_DELETE]]

where:

[INSTANCE_TEMPLATE_NAME] is the name of the template to create.
[SOURCE_INSTANCE] is the name of the instance to use as a model for the new template.
[SOURCE_INSTANCE_ZONE] is the zone that contains the source instance.
[SOURCE_DISK] is the name of a source-instance disk that you want to override within the template.
[INSTANTIATE_FROM] specifies whether to include the disk and which image to use. Valid values depend on the type of disk:
- source-image or source-image-family (valid only for boot and other persistent read/write disks).
- custom-image (valid only for boot and other persistent read/write disks). If specified, then the path or URL for the custom image must also be specified, as shown in the following example.
- attach-read-only (valid only for read-only disks).
- blank (valid only for non-boot persistent disks and local SSDs). If specified, then, when the template is used to create a new instance, the disk is created unformatted. You must format and mount the disk in a startup script before you can use it in a scalable setup.
- do-not-include (valid only for non-boot persistent disks and read-only disks).
- blank (valid only for non-boot persistent disks and read-only disks).
[AUTO_DELETE] specifies whether the disk is auto-deleted when the instance is deleted. Valid values are: false, no, true, and yes.

For example, the following command creates an instance template based on my-source-instance, with the option to use the original image from data-disk-a, but set auto-delete to true and replace data-disk-b with a custom image.

gcloud compute instance-templates create my-instance-template  \
    --source-instance my-source-instance \
    --configure-disk=device-name=data-disk-a,instantiate-from=source-image, \
      auto-delete=true
    --configure-disk=device-name=data-disk-b,instantiate-from=custom-image, \
      custom-image=projects/cps-cloud/global/images/cos-89-16108-403-15

API

For a list of all the flags, see the InstanceTemplates API docs.

POST https://compute.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/instanceTemplates
{
  "name": "[INSTANCE_TEMPLATE_NAME]",
  "sourceInstance": "zones/[SOURCE_INSTANCE_ZONE]/instances/[SOURCE_INSTANCE]",
  "sourceInstanceParams": {
    "diskConfigs": [
      {
        "deviceName": "[SOURCE_DISK]",
        "instantiateFrom": "[INSTANTIATE_FROM]"
      }
    ]
  }
}

where:

[PROJECT_ID] is the project ID for the request.
[INSTANCE_TEMPLATE_NAME] is the name of the new template.
[SOURCE_INSTANCE_ZONE] is the zone of the source instance.
[SOURCE_INSTANCE] is the name of the source instance to use as a model for this instance template.
[SOURCE_DISK] is the name of a source-instance disk that you want to override within the template.
[INSTANTIATE_FROM] specifies whether to include the disk and which image to use. Valid values depend on the type of disk:
- source-image or source-image-family (valid only for boot and other persistent read/write disks).
- custom-image (valid only for boot and other persistent read/write disks). If specified, then the path or URL for the custom image must also be specified, as shown in the following example.
- attach-read-only (valid only for read-only disks).
- blank (valid only for non-boot persistent disks and local SSDs). If specified, then, when the template is used to create a new instance, the disk is created unformatted. You must format and mount the disk in a startup script before you can use it in a scalable setup.
- do-not-include (valid only for non-boot persistent disks and read-only disks).

The following example creates a new instance template based on my-source-instance. In the instance template, the image for data-disk-a is replaced with projects/cos-cloud/global/images/cos-89-16108-403-15.

POST https://compute.googleapis.com/compute/v1/projects/my_project/global/instanceTemplates
{
  "name": "my-instance-template",
  "sourceInstance": "zones/us-central1-a/instances/my-source-instance",
  "sourceInstanceParams":
  {
    "diskConfigs":
    [
      {
        "deviceName": "data-disk-a",
        "instantiateFrom": "custom-image",
        "customImage": "projects/cos-cloud/global/images/cos-89-16108-403-15"
      }
    ]
  }
}

The following table shows the options for overriding how disks are defined in the template.

Disk type	Options
Boot disk	[Default] Use the same source image or image family that was used to create the boot disk in the source instance. Use the URL of any (custom or public) image.
Other read/write persistent disks	[Default] Use the same source image/source image family that was used to create the disk in the source instance. Note: If the source instance's disk doesn't have a source image/source image family property, then it is included in the template as a blank disk. Use the URL of any (custom or public) image. Use a blank disk in the template instead. When the template is used to create a new instance, this disk is created unformatted. You must format and mount the disk in a startup script before you can use it in a scalable setup. Do not include the disk.
Read-only disk(s)	[Default] Include the disk in read-only mode. Do not include the disk.
Local SSD(s)	[Default] Include a blank local SSD. When the template is used to create a new instance, this disk is created unformatted. You must format and mount the disk in a startup script before you can use it in a scalable setup.

For each disk, you can also override the auto-delete attribute to specify whether the disk should be deleted when its associated instance is deleted.

By default, if no override options are specified, the disk configuration in the template matches the source instance.

Creating an instance template based on an existing template

You cannot update an existing instance template. But, if an instance template goes out of date or if you need to make changes, you can create another one with similar properties. Use the console.

Go to the Instance templates page.

Go to Instance templates
Click on the instance template that you want to copy and update.
Click Create similar.
Update the configuration in the new template.
Click Create.

Creating an instance template with a container image

You can specify a container image in an instance template. By default, Compute Engine also includes in the template a Container-Optimized OS image with Docker installed. When you use the template to create a new instance, the container is launched automatically as the instance starts up.

Console

Go to the Instance templates page.

Go to Instance templates
Click Create instance template.
In the Container section, select the Deploy a container image to this VM instance checkbox.
Specify the Container image to use.
- You can specify an image from Container Registry or Artifact Registry. For example:
  - gcr.io/cloud-marketplace/google/nginx1:1.12 selects an NGINX 1.12 container image from Google Cloud Marketplace.
  - us-docker.pkg.dev/google-samples/containers/gke/hello-app:1.0 selects a sample hello-app image stored in Artifact Registry.
- If you use a container image from Docker Hub, always specify the full Docker image name. For example, specify the following image name to deploy an Apache container image: docker.io/httpd:2.4.
Optionally, click Advanced container options. For more information, see Configuring options to run your Container.
Click Create.

gcloud

Use the gcloud compute instance-templates create-with-container command:

gcloud compute instance-templates create-with-container INSTANCE_TEMPLATE_NAME \
     --container-image CONTAINER_IMAGE

Replace the following:

INSTANCE_TEMPLATE_NAME: The name of the template to create.
CONTAINER_IMAGE: The full name of the container image to use.

For example, the following command creates a new instance template named nginx-vm. A VM instance created from this template launches and runs the container image, gcr.io/cloud-marketplace/google/nginx1:1.12, when the VM starts.

 gcloud compute instance-templates create-with-container nginx-vm \
     --container-image gcr.io/cloud-marketplace/google/nginx1:1.12

You can also configure options to run your container.

Creating an instance template that specifies a subnet

Instance template commands have --subnet and --region flags that place new instances into the subnet of your choice. The --subnet flag requires the --region flag.

gcloud compute instance-templates create INSTANCE_TEMPLATE_NAME \
    --region REGION \
    --subnet SUBNET_NAME_OR_URL

Replace the following:

INSTANCE_TEMPLATE_NAME: The desired name of the instance template.
REGION: The region of the subnet.
SUBNET_NAME_OR_URL: Either the name of the subnet or its URL.

Note: If you use the subnet name, Google finds that subnet in the target region (provided that it exists there); however, if you use the subnet URL, the instance template can only be used to create instances in the specific region that is associated with the subnet URL.

The following example creates a template called template-qa that only creates instances in the subnet-us-qa subnet.

gcloud compute instance-templates create template-qa \
    --region us-central1 \
    --subnet subnet-us-qa

Created [https://compute.googleapis.com/compute/latest/projects/PROJECT_ID/global/instanceTemplates/template-qa].
NAME        MACHINE_TYPE  PREEMPTIBLE CREATION_TIMESTAMP
template-qa e2-standard-2             2019-12-23T20:34:00.791-07:00

Using this template to create instances for a managed instance group (with or without autoscaling) automatically creates the instance in the specified region and subnet. This lets you control the subnet of new instances created for load balancing.

Using custom or public images in your instance templates

Because managed instance groups are designed to add and remove instances frequently, it is useful to create a custom image and specify it in the instance template. Prepare your image with the apps and settings that your instances need so you don't have to manually configure those items on individual instances in the MIG.

Alternatively, you can create an instance template that uses a public image and a startup script to prepare the instance after it starts running. Custom images are more deterministic and start more quickly than instances with startup scripts. However, startup scripts are more flexible and let you update the apps and settings in your instances more easily.

Updating an instance template

You cannot update an existing instance template or change an instance template after it has been created. If an instance template goes out of date, or you need to make changes to the configuration, create a new instance template.

What's next

Read tips to create Deterministic instance templates.
Create a VM instance from an instance template.
Create a zonal MIG.
Create a regional MIG.