Creating and starting a VM instance

This document explains how to create a virtual machine (VM) instance using a boot disk image, a boot disk snapshot, or a container image. Some images support Shielded VM features, which offer security features like UEFI-compliant firmware, Secure Boot, and vTPM-protected Measured Boot. On Shielded VMs, vTPM and integrity monitoring are enabled by default.

You can create multiple disks for your VM instance during the creation process. You can also add more disks to the instance after it is created. Compute Engine automatically starts the VM instance after you create it.

This document explains basic ways to create an instance. For more specific or complicated instance configurations, see the following resources:

If you are bringing an existing license, see Bringing your own license with sole-tenant nodes.

Before you begin

If you want to use the command-line examples in this guide:
1. Install or update to the latest version of the gcloud command-line tool.
2. Set a default region and zone.
If you want to use the API examples in this guide, set up API access.

Creating an instance from an image

This section explains how to create a VM from a public OS image or a custom image. A VM contains a bootloader, a boot filesystem, and an OS image.

Creating an instance from a public image

Google, as well as open-source communities and third-party vendors, provides and maintains public OS images. By default, all projects can create VMs from public OS images. However, if your project has a defined list of trusted images, you can use only the images on that list to create a VM.

If you create a Shielded VM image with local SSD, you can't shield data with integrity monitoring or the virtual platform trusted module (vTPM).

Permissions required for this task

To perform this task, you must have the following permissions:

compute.instances.create on the project
compute.instances.updateShieldedVmConfig if you plan to create a Shielded VM instance and you want to be able to change any of the Shielded VM settings.
compute.networks.use on the project if using a legacy network
compute.subnetworks.use either on the whole project or on the chosen subnet (VPC networks)
compute.networks.useExternalIp on the project if you need to assign an external IP address (either ephemeral or static) to the instance using a legacy network
compute.subnetworks.useExternalIp either on the whole project or on the chosen subnet if you need to assign an external IP address (either ephemeral or static) to the instance using a VPC network
compute.addresses.use on the project if specifying a static address in the project
compute.instances.setMetadata if setting metadata
compute.instances.setTags on the instance if setting tags
compute.instances.setLabels on the instance if setting labels
compute.images.useReadOnly on the image if creating a new root persistent disk
compute.disks.create on the project if creating a new root persistent disk with this instance
compute.disks.useReadOnly on the disk if attaching an existing persistent disk in read-only mode
compute.disks.use on the disk if attaching an existing disk in read-write mode
compute.disks.setLabels on the disk if setting labels
compute.snapshots.create on the project to create a new snapshot if creating an instance from a snapshot
compute.snapshots.useReadOnly on the snapshot if creating an instance from a snapshot

Console

Go to the VM instances page.

Go to the VM instances page
Select your project and click Continue.
Click Create instance.
Specify a Name for your instance. See Resource naming convention.
Optional: Change the Zone for this instance. Compute Engine randomizes the list of zones within each region to encourage use across multiple zones.
Select a Machine configuration for your instance.
In the Boot disk section, click Change to configure your boot disk.
In the Public images tab, choose an operating system and version.
Click Save to confirm your boot disk options.
Select Allow HTTP traffic or Allow HTTPS traffic to permit HTTP or HTTPS traffic to the VM. When you select one of these, Compute Engine adds a network tag to your VM, which associates the firewall rule with the VM. Then, Compute Engine creates the corresponding ingress firewall rule that allows all incoming traffic on tcp:80 (HTTP) or tcp:443 (HTTPS).
To add secondary non-boot disks to your VM:
1. Click the Management, security, disks, networking, sole tenancy section.
2. Click the Disks tab.
3. Under Additional disks click Add new disk.
4. Specify a disk Name, Type, Source type, Mode, and Deletion rule.
5. Click Done.
6. Add additional disks as needed.
Optional: If you chose an OS image that supports Shielded VM features, you can modify the Shielded VM settings:
1. Click the Security tab in the Management, security, disks, networking, sole tenancy section.
2. To enable Secure Boot, select Turn on Secure Boot. Secure Boot is disabled by default.
3. To disable vTPM, clear Turn on vTPM. vTPM is enabled by default. Disabling vTPM also disables integrity monitoring because integrity monitoring relies on data gathered by Measured Boot.
4. To disable integrity monitoring, clear the Turn on Integrity Monitoring checkbox. Integrity monitoring is enabled by default.
Click the Create button to create and start the instance.

gcloud

View the list of available public OS images, which includes the name, image project, and image family by doing one of the following:
- Visiting public OS images
- Using the gcloud compute images list command
Select an image, noting the name of the image, the project containing the image, and the image family.
Optional: Determine whether the image supports Shielded VM features. To do this, run the following command, and check for UEFI_COMPATIBLE in the output:
```
gcloud compute images describe IMAGE_NAME --project IMAGE_PROJECT
```
Replace the following:
- IMAGE_NAME: Name of the image to check for support of Shielded VM features.
- IMAGE_PROJECT: Project containing the image.
Use the following gcloud compute instances create command to create a VM from the latest version of an OS image or from a specific version of an OS image, optionally with additional non-boot disks:
```
gcloud compute instances create VM_NAME
--image-family IMAGE
--image-project IMAGE_PROJECT
[--create-disk image=DISK_IMAGE,
image-project=DISK_IMAGE_PROJECT]
[,size=SIZE_GB]
[,type=DISK_TYPE]
[--shielded-secure-boot]
```
Replacing the following:
- VM_NAME: Name of the new VM.
- IMAGE: Image to create the VM from. There are two ways to specify the image:
  - Specify the family to create the VM from the most recent OS version. For example, if you specify debian-10 as the image, Compute Engine creates a VM from the latest version of the OS image in the Debian 10 image family.
  - Specify a specific version of a public OS, for example: debian-10-buster-v20200309.
- IMAGE_PROJECT: Project containing the image.
- DISK_IMAGE: Optional: Specify for each additional, up to 128, secondary non-boot disks. Specify the family to create the disk from using the most recent OS version in that family, or specify a specific image version. For blanks disks, do not specify a disk image or image project. After adding non-boot disks, you must format and mount them.
- DISK_IMAGE_PROJECT: Optional: Image project to which the disk image belongs. For blank disks, do not specify a disk image or image project.
- SIZE_GB: Optional: Size of the secondary disk.
- DISK_TYPE: Optional: Type of persistent disk, set to either pd-standard or pd-ssd.
- --shielded-secure-boot: Optional: If you chose an image that supports Shielded VM features, Compute Engine, by default, enables the virtual trusted platform module (vTPM) and integrity monitoring. Compute Engine does not enable Secure Boot by default. If you specify --shielded-secure-boot, Compute Engine creates a VM with all three Shielded VM features enabled. After Compute Engine starts your VM, to modify Shielded VM options, you must stop the VM.
Verify that Compute Engine created the VM, replacing VM_NAME with the name of the VM:
```
gcloud compute instances describe VM_NAME
```

API

View the list of available public OS images, which includes the name, image project, and image family by doing one of the following:
- Visiting public OS images
- Using the gcloud compute images list command
Select an image, noting the name of the image, the project containing the image, and the image family.
Optional: Determine whether the image supports Shielded VM features. To do this, run the following command, and check for UEFI_COMPATIBLE in the output:
```
GET https://compute.googleapis.com/compute/v1/projects/IMAGE_PROJECT/global/images/IMAGE_NAME
```
Replace the following:
- IMAGE_PROJECT: Project containing the image.
- IMAGE_NAME: Name of the image to check for support of Shielded VM features.
Use one of the following instances.insert commands to create a VM from the latest version of an OS image, from a specific version of an OS image, or to create a VM with additional non-boot disks:
```
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/PROJECT_ZONE/instances

{
 "machineType": "zones/MACHINE_TYPE_ZONE/machineTypes/MACHINE_TYPE",
 "name": "VM_NAME",
 "disks": [
   {
     "initializeParams": {
       "sourceImage": "projects/IMAGE_PROJECT/global/images/family/IMAGE"
     },
     "boot": true
   },
   {
     "initializeParams": {
       "sourceImage": "projects/DISK_IMAGE_PROJECT/global/images/family/DISK_IMAGE"
     },
     "boot": false
   }
 ],
 "networkInterfaces": [
   {
     "network": "global/networks/default",
     "subnetwork": "regions/SUBNETWORK_REGION/subnetworks/SUBNETWORK_NAME"
   }
 ],
 "shieldedInstanceConfig": {
   "enableSecureBoot": ENABLE_SECURE_BOOT
 }
}
```
Replacing the following:
- PROJECT_ID: ID of the project to create the VM in.
- PROJECT_ZONE: Zone to create the VM in.
- MACHINE_TYPE_ZONE: Zone containing the machine type to use for the new VM.
- MACHINE_TYPE: Machine type, predefined or custom, for the new VM.
- VM_NAME: Name of the new VM.
- IMAGE_PROJECT: Project containing the image. For example, if you specify debian-10 as the image family, specify debian-cloud as the image project.
- IMAGE: Image to create the VM from. Specify the family to create the VM from using the most recent OS version. For example, if you specify debian-10 as the image family, Compute Engine creates a VM from the latest version of the OS image in the Debian 10 image family. Alternatively, instead of specifying the family, you can specify a specific version of a public OS, for example: debian-10-buster-v20200309.
- DISK_IMAGE_PROJECT: Optional: Image project to which the disk image belongs. For blank disks, do not specify a disk image or image project.
- DISK_IMAGE: Optional: Specify for each additional, up to 128, secondary non-boot disks. Specify the family to create the disk from using the most recent OS version in that family, or specify a specific image version. For blanks disks, do not specify a disk image or image project. After adding non-boot disks, you must format and mount them.
- SUBNETWORK_REGION: Optional: Region containing the subnetwork to create the VM in if your VPC network is a custom mode VPC network.
- SUBNETWORK_NAME: Optional: Name of the subnetwork to create the VM in if your VPC network is a custom mode VPC network.
- ENABLE_SECURE_BOOT: Optional: If you chose an image that supports Shielded VM features, Compute Engine, by default, enables the virtual trusted platform module (vTPM) and integrity monitoring. Compute Engine does not enable Secure Boot by default. If you specify true for enableSecureBoot, Compute Engine creates a VM with all three Shielded VM features enabled. After Compute Engine starts your VM, to modify Shielded VM options, you must stop the VM.

Python

compute/api/create_instance.py

View on GitHub

def create_instance(compute, project, zone, name, bucket):
    # Get the latest Debian Jessie image.
    image_response = compute.images().getFromFamily(
        project='debian-cloud', family='debian-9').execute()
    source_disk_image = image_response['selfLink']

    # Configure the machine
    machine_type = "zones/%s/machineTypes/n1-standard-1" % zone
    startup_script = open(
        os.path.join(
            os.path.dirname(__file__), 'startup-script.sh'), 'r').read()
    image_url = "http://storage.googleapis.com/gce-demo-input/photo.jpg"
    image_caption = "Ready for dessert?"

    config = {
        'name': name,
        'machineType': machine_type,

        # Specify the boot disk and the image to use as a source.
        'disks': [
            {
                'boot': True,
                'autoDelete': True,
                'initializeParams': {
                    'sourceImage': source_disk_image,
                }
            }
        ],

        # Specify a network interface with NAT to access the public
        # internet.
        'networkInterfaces': [{
            'network': 'global/networks/default',
            'accessConfigs': [
                {'type': 'ONE_TO_ONE_NAT', 'name': 'External NAT'}
            ]
        }],

        # Allow the instance to access cloud storage and logging.
        'serviceAccounts': [{
            'email': 'default',
            'scopes': [
                'https://www.googleapis.com/auth/devstorage.read_write',
                'https://www.googleapis.com/auth/logging.write'
            ]
        }],

        # Metadata is readable from the instance and allows you to
        # pass configuration from deployment scripts to instances.
        'metadata': {
            'items': [{
                # Startup script is automatically executed by the
                # instance upon startup.
                'key': 'startup-script',
                'value': startup_script
            }, {
                'key': 'url',
                'value': image_url
            }, {
                'key': 'text',
                'value': image_caption
            }, {
                'key': 'bucket',
                'value': bucket
            }]
        }
    }

    return compute.instances().insert(
        project=project,
        zone=zone,
        body=config).execute()

Creating an instance from a custom image

A custom image belongs only to your project. To create an instance with a custom image, you must first have a custom image. To learn how to create a custom image, read Creating a custom image.

Permissions required for this task

To perform this task, you must have the following permissions:

compute.instances.create on the project
compute.instances.updateShieldedVmConfig if you plan to create a Shielded VM instance and you want to be able to change any of the Shielded VM settings.
compute.networks.use on the project if using a legacy network
compute.subnetworks.use either on the whole project or on the chosen subnet (VPC networks)
compute.networks.useExternalIp on the project if you need to assign an external IP address (either ephemeral or static) to the instance using a legacy network
compute.subnetworks.useExternalIp either on the whole project or on the chosen subnet if you need to assign an external IP address (either ephemeral or static) to the instance using a VPC network
compute.addresses.use on the project if specifying a static address in the project
compute.instances.setMetadata if setting metadata
compute.instances.setTags on the instance if setting tags
compute.instances.setLabels on the instance if setting labels
compute.images.useReadOnly on the image if creating a new root persistent disk
compute.disks.create on the project if creating a new root persistent disk with this instance
compute.disks.useReadOnly on the disk if attaching an existing persistent disk in read-only mode
compute.disks.use on the disk if attaching an existing disk in read-write mode
compute.disks.setLabels on the disk if setting labels
compute.snapshots.create on the project to create a new snapshot if creating an instance from a snapshot
compute.snapshots.useReadOnly on the snapshot if creating an instance from a snapshot

Console

Go to the VM instances page.
Go to the VM Instances page
Select your project and click Continue.
Click the Create instance button.
Specify a Name for your instance. See Resource naming convention.
Optionally, change the Zone for this instance.

Note: The list of zones is randomized within each region to encourage use across multiple zones.
Select a Machine configuration for your instance.
In the Boot disk section, click Change to configure your boot disk.
Create a boot disk no larger than 2 TB to account for the limitations of MBR partitions.
Select the Custom Images tab.
Make sure your project is selected in the drop-down list.
Choose the image you want and click the Select button.
To permit HTTP or HTTPS traffic to the VM instance, select Allow HTTP traffic or Allow HTTPS traffic.

The Cloud Console adds a network tag to your instance and creates the corresponding ingress firewall rule that allows all incoming traffic on tcp:80 (HTTP) or tcp:443 (HTTPS). The network tag associates the firewall rule with the instance. For more information, see Firewall rules overview in the Virtual Private Cloud documentation.
To add secondary non-boot disks to your VM instance:
1. Click Management, security, disks, networking, sole tenancy.
2. Select the Disks tab.
3. Under Additional disks, click Add new disk.
4. Specify a disk Name, Type, Source type, Mode, and Deletion rule.
5. Click Done.
6. Add additional disks as needed.
Click the Create button to create and start the instance.

gcloud

Run the gcloud compute instances create command to create an instance with a custom image:

gcloud compute instances create [INSTANCE_NAME] \
--image [IMAGE_NAME] \
--image-family [IMAGE_FAMILY]

where:

[INSTANCE_NAME] is the instance name.
[IMAGE_NAME] is the name of the image.
[IMAGE] is an optional field. Use a private or public image. If no image is specified, the disk is blank.

If you created your custom images as part of an image family, specify that image family instead of the image name. By doing so, the instance automatically uses the most recent, non-deprecated image in the image family.

You can add up to 128 secondary non-boot disks while you're creating your instance. Specify the --create-disk flag for each secondary disk you create. To create secondary disks from a public or stock image, specify the image and image-project properties in the --create-disk flag. To create a blank disk, don't include these properties. Optionally, include properties for the disk size and type.

gcloud compute instances create [INSTANCE_NAME] \
  --image-family [IMAGE_FAMILY] \
  --image-project [IMAGE_PROJECT] \
  --create-disk image=[DISK_IMAGE],image-project=[DISK_IMAGE_PROJECT],size=[SIZE_GB],type=[DISK_TYPE]

where:

[INSTANCE_NAME] is the name for the new instance.
[IMAGE_FAMILY] is one of the available image families.
[IMAGE_PROJECT] is the image project to which the image belongs.
[DISK_IMAGE] is the source image for the secondary disk. For a list of available images, run gcloud compute images list. For blanks disks, do not specify a disk image or image project.
[DISK_IMAGE_PROJECT] is the image project to which the disk image belongs. For blank disks, do not specify a disk image or image project.
[SIZE_GB] is the size of the secondary disk.
[DISK_TYPE] is the type of persistent disk, either pd-standard or pd-ssd.

Format and mount the disks before using them.

API

The process for creating an instance with a custom image in the API is the same as if you were creating an instance with a publicly available image. In the sourceImage URI, provide your own project ID and the image name.

You can create up to 128 secondary non-boot disks at the time you create a VM instance by using the initializeParams property for each additional disk. Create additional disks with a public or private image. To add a blank disk, define the initializeParams entry with no sourceImage value.

...
"initializeParams" :{
   "sourceImage": "global/images/[IMAGE_NAME]"
},
{
"initializeParams": {
   "diskSizeGb": "[SIZE_GB]",
   "sourceImage": "[IMAGE]",
   "diskType": "[DISK_TYPE]"
 },
 {
 "initializeParams": {
 "diskSizeGb": "[SIZE_GB]",
 "diskType": "[DISK_TYPE]"
 }
}...]

where:

[PROJECT_ID] is your project ID.
[IMAGE_NAME] is the specific image such as debian-9-stretch-v20170619. Alternatively, you can specify an image family. For example, family/debian-9 returns the latest version of the Debian 9 image.
[IMAGE] is the source image for the secondary disk. For blank disks do not specify an image source.
[SIZE_GB] is the disk size.
[DISK_TYPE] is the type of persistent disk, either pd-standard or pd-ssd.

Format and mount the disks before using them.

Creating an instance with an image shared with you

If another user has shared an image with you, you can use the image to create a new instance.

Permissions required for this task

To perform this task, you must have the following permissions:

compute.instances.create on the project
compute.instances.updateShieldedVmConfig if you plan to create a Shielded VM instance and you want to be able to change any of the Shielded VM settings.
compute.networks.use on the project if using a legacy network
compute.subnetworks.use either on the whole project or on the chosen subnet (VPC networks)
compute.networks.useExternalIp on the project if you need to assign an external IP address (either ephemeral or static) to the instance using a legacy network
compute.subnetworks.useExternalIp either on the whole project or on the chosen subnet if you need to assign an external IP address (either ephemeral or static) to the instance using a VPC network
compute.addresses.use on the project if specifying a static address in the project
compute.instances.setMetadata if setting metadata
compute.instances.setTags on the instance if setting tags
compute.instances.setLabels on the instance if setting labels
compute.images.useReadOnly on the image if creating a new root persistent disk
compute.disks.create on the project if creating a new root persistent disk with this instance
compute.disks.useReadOnly on the disk if attaching an existing persistent disk in read-only mode
compute.disks.use on the disk if attaching an existing disk in read-write mode
compute.disks.setLabels on the disk if setting labels
compute.snapshots.create on the project to create a new snapshot if creating an instance from a snapshot
compute.snapshots.useReadOnly on the snapshot if creating an instance from a snapshot

Console

Go to the VM instances page.
Go to the VM instances page
Select your project and click Continue.
Click the Create instance button.
Specify a Name for your instance. See Resource naming convention.
Optionally, change the Zone for this instance.

Note: The list of zones is randomized within each region to encourage use across multiple zones.
Select a Machine configuration for your instance.
In the Boot disk section, click Change to configure your boot disk.

Create a boot disk no larger than 2 TB to account for the limitations of MBR partitions.
Select the Custom Images tab.
Select the image project from the drop-down list.
Choose the image you want and click the Select button.
To permit HTTP or HTTPS traffic to the VM instance, select Allow HTTP traffic or Allow HTTPS traffic.

The Cloud Console adds a network tag to your instance and creates the corresponding ingress firewall rule that allows all incoming traffic on tcp:80 (HTTP) or tcp:443 (HTTPS). The network tag associates the firewall rule with the instance. For more information, see Firewall rules overview in the Virtual Private Cloud documentation.
To add secondary non-boot disks to your VM instance:
1. Click Management, security, disks, networking, sole tenancy.
2. Select the Disks tab.
3. Under Additional disks, click Add new disk.
4. Specify a disk Name, Type, Source type, Mode, and Deletion rule.
5. Click Done.
6. Add additional disks as needed.
Click the Create button to create and start the instance.

gcloud

Create an instance by using the gcloud compute instances create command, and use the --image and --image-project flag to specify the image name and the project where the image resides:

gcloud compute instances create [INSTANCE_NAME] \
    --image [IMAGE] \
    --image-project [IMAGE_PROJECT]

where:

[INSTANCE_NAME] is the name for the new instance.
[IMAGE] is the name of the image.
[IMAGE_PROJECT] is the project to which the image belongs.

If the command is successful, gcloud responds with the properties of the new instance:

Created [https://compute.googleapis.com/compute/v1/projects/myproject/zones/us-central1-b/instances/example-instance].
NAME                 ZONE           MACHINE_TYPE   PREEMPTIBLE  INTERNAL_IP  EXTERNAL_IP    STATUS
example-instance     us-central1-b  n1-standard-1               10.240.0.4   104.198.53.60  RUNNING

You can add up to 128 secondary non-boot disks while you are creating your instance. Specify the --create-disk flag for each secondary disk you create. To create secondary disks from a public or stock image, specify the image and image-project properties in the --create-disk flag. To create a blank disk, do not include these properties. Optionally, include properties for the disk size and type.

gcloud compute instances create [INSTANCE_NAME] \
--image-family [IMAGE_FAMILY] \
--image-project [IMAGE_PROJECT] \
--create-disk image=[DISK_IMAGE],image-project=[DISK_IMAGE_PROJECT],size=[SIZE_GB],type=[DISK_TYPE]

where:

[INSTANCE_NAME] is the name for the new instance.
[IMAGE_FAMILY] is one of the available image families.
[IMAGE_PROJECT] is the image project to which the image belongs.
[DISK_IMAGE] is the source image for the secondary disk. For a list of available images, run gcloud compute images list. For blanks disks, do not specify a disk image or image project.
[DISK_IMAGE_PROJECT] is the image project to which the disk image belongs. For blanks disks, do not specify a disk image or image project.
[SIZE_GB] is the size of the secondary disk.
[DISK_TYPE] is the type of persistent disk, either pd-standard or pd-ssd.

Format and mount the disks before using them.

API

Follow the API instructions to create an instance from a public image but specify the image field in the request body. You can add up to 128 secondary non-boot disks by specifying the initializeParams field for every additional disk. To add blank disks, do not specify an image source. Optionally, you can specify the diskSizeGb, diskType, and labels properties.

[...
image: "projects/[PROJECT_ID]/global/images/[IMAGE_NAME]

{
 "initializeParams": {
    "diskSizeGb": "[SIZE_GB]",
    "sourceImage": "[IMAGE]"
       }
 }
 ...]

where:

[PROJECT_ID] is the project containing the image.
[IMAGE_NAME] is the source image.
[SIZE_GB] is the disk size.
[IMAGE] is the source image for the secondary disk. For blank disks do not specify an image source.

Format and mount the disks before using them.

Creating a VM instance from a snapshot

If you backed up a boot persistent disk with a snapshot, you can use that snapshot to create an instance.

Keep in mind that if you plan to create many instances from the same boot disk snapshot, consider creating a custom image and creating instances from that image instead. Custom images can create the boot disks for your instances more quickly and efficiently than snapshots.

Creating a new VM instance boot disk from a snapshot

You can restore a snapshot of a boot disk to a new boot disk when you create a new instance.

Permissions required for this task

To perform this task, you must have the following permissions:

compute.instances.create on the project
compute.instances.updateShieldedVmConfig if you plan to create a Shielded VM instance and you want to be able to change any of the Shielded VM settings.
compute.networks.use on the project if using a legacy network
compute.subnetworks.use either on the whole project or on the chosen subnet (VPC networks)
compute.networks.useExternalIp on the project if you need to assign an external IP address (either ephemeral or static) to the instance using a legacy network
compute.subnetworks.useExternalIp either on the whole project or on the chosen subnet if you need to assign an external IP address (either ephemeral or static) to the instance using a VPC network
compute.addresses.use on the project if specifying a static address in the project
compute.instances.setMetadata if setting metadata
compute.instances.setTags on the instance if setting tags
compute.instances.setLabels on the instance if setting labels
compute.images.useReadOnly on the image if creating a new root persistent disk
compute.disks.create on the project if creating a new root persistent disk with this instance
compute.disks.useReadOnly on the disk if attaching an existing persistent disk in read-only mode
compute.disks.use on the disk if attaching an existing disk in read-write mode
compute.disks.setLabels on the disk if setting labels
compute.snapshots.create on the project to create a new snapshot if creating an instance from a snapshot
compute.snapshots.useReadOnly on the snapshot if creating an instance from a snapshot

Console

Go to the VM instances page.
Go to the VM instances page
Select your project and click Continue.
Click the Create instance button.
Specify a Name for your instance. See Resource naming convention.
Optionally, change the Zone for this instance.

Note: The list of zones is randomized within each region to encourage use across multiple zones.
Select a Machine configuration for your instance.
In the Boot disk section, click Change to configure your boot disk.

Create a boot disk no larger than 2 TB to account for the limitations of MBR partitions.
Click the Snapshots tab and choose a snapshot from the list.
Click Select.
To permit HTTP or HTTPS traffic to the VM instance, select Allow HTTP traffic or Allow HTTPS traffic.

The Cloud Console adds a network tag to your instance and creates the corresponding ingress firewall rule that allows all incoming traffic on tcp:80 (HTTP) or tcp:443 (HTTPS). The network tag associates the firewall rule with the instance. For more information, see Firewall rules overview in the Virtual Private Cloud documentation.
To add secondary non-boot disks to your VM instance:
1. Click Management, security, disks, networking, sole tenancy.
2. Select the Disks tab.
3. Under Additional disks, click Add new disk.
4. Specify a disk Name, Type, Source type, Mode, and Deletion rule.
5. Click Done.
6. Add additional disks as needed.
Click the Create button to create and start the instance.

gcloud

Use the gcloud compute instances create command and include the --source-snapshot flag:

gcloud compute instances create [INSTANCE_NAME] \
    --source-snapshot [BOOT_SNAPSHOT_NAME] \
    --boot-disk-size [BOOT_DISK_SIZE] \
    --boot-disk-type [BOOT_DISK_TYPE] \
    --boot-disk-device-name [BOOT_DISK_NAME]

where:

[INSTANCE_NAME] is the name for the new instance.
[BOOT_SNAPSHOT_NAME] is the name of the boot disk snapshot that you want to restore to the boot disk of the new instance.
[BOOT_DISK_NAME] is the name of the new boot disk for this instance.
[BOOT_DISK_SIZE] is the size, in gigabytes, of the new boot disk. The size must be equal to or larger than the size of the source disk from which the snapshot was made. This property is optional.
[BOOT_DISK_TYPE] is the type of persistent disk, either pd-standard or pd-ssd. This flag is optional.

Optionally, if you also want to a restore non-boot snapshot, append the --create-disk flag and specify a source-snapshot. Repeat the --create-disk flag to create a non-boot disk for each snapshot that you want to restore. When creating an instance, you can add up to 15 non-boot disks.

--create-disk source-snapshot=[SNAPSHOT_NAME],name=[DISK_NAME],size=[DISK_SIZE],type=[DISK_TYPE]

where:

[SNAPSHOT_NAME] is the name of a non-boot snapshot that you want to restore.
[DISK_NAME] is the name of a new non-boot disk for this instance.
[DISK_SIZE] is the size, in gigabytes, of the new disk. The size must be equal to or larger than the size of the source disk from which the snapshot was made. This property is optional.
[DISK_TYPE] is the type of persistent disk, either pd-standard or pd-ssd. This flag is optional.

API

When you use the API to create an instance from a snapshot, the following restrictions apply:

Only one persistent disk can be used as the boot persistent disk.
You must attach the boot persistent disk as the first disk for that instance.
If you specify the source property, you cannot also specify the initializeParams property. Providing a source indicates that the boot persistent disk exists already, but the initializeParams property indicates that Compute Engine should create a new boot persistent disk.

To create an instance from a boot disk snapshot, specify the sourceSnapshot field under the disks property. Optionally, specify the diskSizeGb and diskType properties for the new boot disk:

POST https://compute.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/[ZONE]/instances
{
  "name": "[INSTANCE_NAME]",
  "machineType": "machineTypes/[MACHINE_TYPE]"
  "networkInterfaces": [{
    "accessConfigs": [{
      "type": "ONE_TO_ONE_NAT",
      "name": "External NAT"
    }],
    "network": "global/networks/default"
  }],
  "disks": [{
     "boot": true,
     "initializeParams": {
       "sourceSnapshot": "global/snapshots/[BOOT_SNAPSHOT_NAME]",
       "diskSizeGb": "[BOOT_DISK_SIZE]",
       "diskType": "[BOOT_DISK_TYPE]"
    }
   }],
 }

where:

[PROJECT_ID] is your project ID.
[ZONE] is the zone where you want to create the new instance.
[INSTANCE_NAME] is the name of the instance that you want to restore a snapshot to.
[MACHINE_TYPE] is the machine type of the instance.
[BOOT_SNAPSHOT_NAME] is the name of the snapshot that you want to use to create the boot disk of a new instance.
[BOOT_DISK_SIZE] is the size, in gigabytes, for the new boot disk. The size must be equal to or larger than the size of the source disk from which the snapshot was made. This property is optional.
[BOOT_DISK_TYPE] is the type of the boot disk, either pd-standard or pd-ssd. This property is optional.

Restore non-boot snapshots to a new instance

Non-boot snapshots are backups of secondary persistent disks that your instance uses only for data storage. You can restore non-boot snapshots to new disks whenever you create a new instance. Alternatively, you can also restore non-boot snapshots to an existing instance.

To restore non-boot snapshots to a new instance, follow these additional steps when you create an instance.

Permissions required for this task

To perform this task, you must have the following permissions:

compute.instances.create on the project
compute.instances.updateShieldedVmConfig if you plan to create a Shielded VM instance and you want to be able to change any of the Shielded VM settings.
compute.networks.use on the project if using a legacy network
compute.subnetworks.use either on the whole project or on the chosen subnet (VPC networks)
compute.networks.useExternalIp on the project if you need to assign an external IP address (either ephemeral or static) to the instance using a legacy network
compute.subnetworks.useExternalIp either on the whole project or on the chosen subnet if you need to assign an external IP address (either ephemeral or static) to the instance using a VPC network
compute.addresses.use on the project if specifying a static address in the project
compute.instances.setMetadata if setting metadata
compute.instances.setTags on the instance if setting tags
compute.instances.setLabels on the instance if setting labels
compute.images.useReadOnly on the image if creating a new root persistent disk
compute.disks.create on the project if creating a new root persistent disk with this instance
compute.disks.useReadOnly on the disk if attaching an existing persistent disk in read-only mode
compute.disks.use on the disk if attaching an existing disk in read-write mode
compute.disks.setLabels on the disk if setting labels
compute.snapshots.create on the project to create a new snapshot if creating an instance from a snapshot
compute.snapshots.useReadOnly on the snapshot if creating an instance from a snapshot

Console

When restoring non-boot snapshots to a new instance from the console, first create a disk from each snapshot. Then, attach the new disks when you create the new instance.

Restore each non-boot snapshot to a new disk.
1. Go to the Disks page.
  Go to the Disks page
2. Click Create disk.
3. Specify a Name for your disk. See Resource naming convention.
4. Select the Region and Zone for this disk.
  
  Note: You can only attach a disk to an instance if both are located in the same zone.
5. Select a disk Type.
6. Under Source type, select Snapshot.
7. Under the new Source snapshot field, select a non-boot snapshot that you want to restore to the new disk.
8. Click Create to create the disk.
9. Repeat these steps to create a disk from each snapshot that you want to restore. When creating an instance, you can add up to 15 secondary non-boot disks.
Go to the VM instances page.
Go to the VM instances page
Click Create instance.
Specify a Name for your instance. See Resource naming convention.
Select the Region and Zone for this instance.

Note: You can only attach a disk to an instance if both are located in the same zone.
Select a Machine type for your instance.
If you want to allow incoming external traffic, change the Firewall rules for the instance.
To attach disks to the instance:
1. Click Management, security, disks, networking, sole tenancy.
2. Select the Disks tab.
3. Under Additional disks, click Attach existing disk.
4. Under the new Disk field, select a disk to attach to this instance.
5. Specify a Mode and Deletion rule for the disk.
6. Click Done.
7. Repeat these steps for each disk that you want to attach. When creating an instance, you can add up to 15 secondary non-boot disks.
Click Create to create and start the instance.
Format and mount the attached disks before using them.

gcloud

Create a new instance using the gcloud compute instances create command. For each non-boot snapshot that you want to restore, include the --create-disk flag, and specify a source-snapshot. When creating an instance, you can add up to 15 secondary non-boot disks.

For example, to restore two non-boot snapshots to a new instance, use the following command:

gcloud compute instances create \
    --create-disk source-snapshot=[SNAPSHOT_1_NAME],name=[DISK_1_NAME],size=[DISK_1_SIZE],type=[DISK_1_TYPE] \
    --create-disk source-snapshot=[SNAPSHOT_2_NAME],name=[DISK_2_NAME],size=[DISK_2_SIZE],type=[DISK_2_TYPE]

where:

[SNAPSHOT_1_NAME] and [SNAPSHOT_2_NAME] are the names of non-boot snapshots that you want to restore.
[DISK_1_NAME] and [DISK_2_NAME] are the names of the new non-boot disks for this instance.
[DISK_1_SIZE] and [DISK_2_SIZE] are the sizes, in gigabytes, of each new non-boot disk. The size must be equal to or larger than the size of the source disk from which the snapshot was made. This property is optional.
[DISK_1_TYPE] and [DISK_2_TYPE] are the types of persistent disks, either pd-standard or pd-ssd. This flag is optional.

API

When using the API to restore a non-boot snapshot to a new instance, the following restrictions apply:

Only one persistent disk can be the boot persistent disk.
You must attach the boot persistent disk as the first disk for that instance.
If you specify the source property, you can't also specify the initializeParams property. Providing a source indicates that the boot persistent disk exists already, but the initializeParams property indicates that Compute Engine should create a new boot persistent disk.

Using the beta API, specify the sourceSnapshot field under the initializeParams property. You can add up to 15 secondary non-boot disks by repeating the initializeParams property for every non-boot disk that you want to create. Optionally, you can specify the diskSizeGb and diskType properties for any of the disks that you create.

For example, to restore two non-boot snapshots to a new instance, make the following request:

POST https://compute.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/[ZONE]/instances
{
  "name": "[INSTANCE_NAME]",
  "machineType": "machineTypes/[MACHINE_TYPE]"
  "networkInterfaces": [{
    "accessConfigs": [{
      "type": "ONE_TO_ONE_NAT",
      "name": "External NAT"
    }],
    "network": "global/networks/default"
  }],
  "disks": [{
     "autoDelete": "true",
     "boot": "true",
     "type": "PERSISTENT",
     "diskSizeGb": "[DISK_SIZE]",
     "diskType": "[DISK_TYPE]"
   },
   {
     "initializeParams": {
        "sourceSnapshot": "global/snapshots/[SNAPSHOT_1_NAME]",
        "diskSizeGb": "[DISK_SIZE]",
        "diskType": "[DISK_TYPE]"
     }
   },
   {
     "initializeParams": {
        "sourceSnapshot": "global/snapshots/[SNAPSHOT_2_NAME]",
        "diskSizeGb": "[DISK_SIZE]",
        "diskType": "[DISK_TYPE]"
     }
  }]
 }

where:

[PROJECT_ID] is your project ID.
[ZONE] is the zone where you want to create the new instance.
[INSTANCE_NAME] is the name of the instance that you want to restore a snapshot to.
[MACHINE_TYPE] is the machine type of the instance.
[SNAPSHOT_1_NAME] and [SNAPSHOT_2_NAME] are the names of the non-boot snapshots that you want to restore to new, non-boot disks on the new instance.
[DISK_SIZE] is the size, in gigabytes, of the corresponding disk. This property is optional, but must be equal to or larger than the size of the source disk from which the snapshot was made.
[DISK_TYPE] is the type of the corresponding persistent disk, either pd-standard or pd-ssd. This property is optional.

Creating an instance from a container image

To deploy and launch a container on a Compute Engine instance, specify a container image name and optional configuration parameters when you create the instance. Compute Engine creates the instance using the latest version of the Container-optimized OS public image, which has Docker installed. Then, Compute Engine launches the container when the VM starts. See Deploying containers on VMs for more information.

Permissions required for this task

To perform this task, you must have the following permissions:

compute.instances.create on the project
compute.instances.updateShieldedVmConfig if you plan to create a Shielded VM instance and you want to be able to change any of the Shielded VM settings.
compute.networks.use on the project if using a legacy network
compute.subnetworks.use either on the whole project or on the chosen subnet (VPC networks)
compute.networks.useExternalIp on the project if you need to assign an external IP address (either ephemeral or static) to the instance using a legacy network
compute.subnetworks.useExternalIp either on the whole project or on the chosen subnet if you need to assign an external IP address (either ephemeral or static) to the instance using a VPC network
compute.addresses.use on the project if specifying a static address in the project
compute.instances.setMetadata if setting metadata
compute.instances.setTags on the instance if setting tags
compute.instances.setLabels on the instance if setting labels
compute.images.useReadOnly on the image if creating a new root persistent disk
compute.disks.create on the project if creating a new root persistent disk with this instance
compute.disks.useReadOnly on the disk if attaching an existing persistent disk in read-only mode
compute.disks.use on the disk if attaching an existing disk in read-write mode
compute.disks.setLabels on the disk if setting labels
compute.snapshots.create on the project to create a new snapshot if creating an instance from a snapshot
compute.snapshots.useReadOnly on the snapshot if creating an instance from a snapshot

Console

Go to the VM instances page.
Go to the VM instances page
Click Create instance.
Specify a Name for your instance. See Resource naming convention.
In the Container section, select the Deploy a container image to this VM instance checkbox.
Specify the Container image to use.
- For example, you can specify gcr.io/cloud-marketplace/google/nginx1:1.12 to select an NGINX 1.12 container image from Cloud Launcher.
- If you use a container image from Docker Hub, always specify the full Docker image name. For example, specify the following image name to deploy an Apache container image: docker.io/httpd:2.4.
Optionally, click Advanced container options. For more information, see Configuring options to run your container.
Click Create to create the instance, boot the instance, and launch the container.

gcloud

Run the gcloud compute instances create-with-container command:

gcloud compute instances create-with-container [INSTANCE_NAME] \
     --container-image [CONTAINER_IMAGE]

where:

[INSTANCE_NAME] is the name for the new instance.
[CONTAINER_IMAGE] is the name of the container image.

For example, the following command creates a VM instance named nginx-vm, which launches and runs the container image, gcr.io/cloud-marketplace/google/nginx1:1.12.

gcloud compute instances create-with-container nginx-vm \
    --container-image gcr.io/cloud-marketplace/google/nginx1:1.12

When using a container image from Docker Hub, you must always specify a full Docker image name. For example, specify the following image name to deploy an Apache container image: docker.io/httpd:2.4.

Creating an instance with access to other Google Cloud Services

If you plan to run an app on your VM instance that needs access to other Google Cloud services, create a service account before creating the instance, and then follow the instructions to set up an instance to run as a service account. A service account is a special account whose credentials you can use in your application code to access other Google Cloud services.

For more information about service accounts, read the Service accounts overview.

Creating an instance in a specific subnet

Permissions required for this task

To perform this task, you must have the following permissions:

compute.instances.create on the project
compute.instances.updateShieldedVmConfig if you plan to create a Shielded VM instance and you want to be able to change any of the Shielded VM settings.
compute.networks.use on the project if using a legacy network
compute.subnetworks.use either on the whole project or on the chosen subnet (VPC networks)
compute.networks.useExternalIp on the project if you need to assign an external IP address (either ephemeral or static) to the instance using a legacy network
compute.subnetworks.useExternalIp either on the whole project or on the chosen subnet if you need to assign an external IP address (either ephemeral or static) to the instance using a VPC network
compute.addresses.use on the project if specifying a static address in the project
compute.instances.setMetadata if setting metadata
compute.instances.setTags on the instance if setting tags
compute.instances.setLabels on the instance if setting labels
compute.images.useReadOnly on the image if creating a new root persistent disk
compute.disks.create on the project if creating a new root persistent disk with this instance
compute.disks.useReadOnly on the disk if attaching an existing persistent disk in read-only mode
compute.disks.use on the disk if attaching an existing disk in read-write mode
compute.disks.setLabels on the disk if setting labels
compute.snapshots.create on the project to create a new snapshot if creating an instance from a snapshot
compute.snapshots.useReadOnly on the snapshot if creating an instance from a snapshot

By default, Google Cloud creates an auto mode VPC network called default for each project. If you create an instance without specifying its network details, Compute Engine uses the default VPC network and the auto subnet that is in the same region as the instance.

To use a different network or a subnet that you manually created in an auto mode or custom mode VPC network, you must specify the subnet when you create the instance.

Console

Go to the VM instances page.
Go to the VM Instances page
Select your project and click Continue.
Click the Create instance button.
Specify a Name for your instance. See Resource naming convention.
Optionally, change the Zone for this instance.

Note: The list of zones is randomized within each region to encourage use across multiple zones.
To permit HTTP or HTTPS traffic to the VM instance, select Allow HTTP traffic or Allow HTTPS traffic.

The Cloud Console adds a network tag to your instance and creates the corresponding ingress firewall rule that allows all incoming traffic on tcp:80 (HTTP) or tcp:443 (HTTPS). The network tag associates the firewall rule with the instance. For more information, see Firewall rules overview in the Virtual Private Cloud documentation.
Expand the Management, security, disks, networking, sole tenancy section.
Under Network interfaces in the Networking tab, specify the network details.
1. In the Network field, select the VPC network that contains the subnet you created.
2. In the Subnet field, select the subnet that the instance will use.
To add secondary non-boot disks to your VM instance:
1. Click Management, security, disks, networking, sole tenancy.
2. Select the Disks tab.
3. Under Additional disks, click Add new disk.
4. Specify a disk Name, Type, Source type, Mode, and Deletion rule.
5. Click Done.
6. Add additional disks as needed.
Click the Create button to create and start the instance.

gcloud

Using the gcloud command-line tool, follow the same instructions to create an instance from an image or a snapshot, and add the --subnet [SUBNET_NAME] and --zone [ZONE_NAME] flags when you run the gcloud compute instances create command:

gcloud compute instances create [INSTANCE_NAME] --subnet [SUBNET_NAME] \
--zone [ZONE_NAME]

where:

[INSTANCE_NAME] is the name of the instance.
[SUBNET_NAME] is the name of the subnet. The network is inferred from the specified subnet.
[ZONE_NAME] is the name of the zone where the instance is created, such as europe-west1-b. The instance's region is inferred from the zone.

gcloud compute instances create [INSTANCE_NAME] \
--subnet [SUBNET_NAME] \
--zone [ZONE_NAME] \
--image-family [IMAGE_FAMILY] \
--image-project [IMAGE_PROJECT] \
--create-disk image=[DISK_IMAGE],image-project=[DISK_IMAGE_PROJECT],size=[SIZE_GB],type=[DISK_TYPE]

where:

[INSTANCE_NAME] is the name for the new instance.
[SUBNET_NAME] is the name of the subnet.
[ZONE_NAME] is the name of the zone where the instance is created, such as europe-west1-b.
[IMAGE_FAMILY] is one of the available image families.
[IMAGE_PROJECT] is the image project to which the image belongs.
[DISK_IMAGE] is the source image for the secondary disk. For a list of available images, run gcloud compute images list. For blank disks, do not specify a disk image or image project.
[DISK_IMAGE_PROJECT] is the image project to which the disk image belongs. For blank disks, do not specify a disk image or image project.
[SIZE_GB] is the size of the secondary disk.
[DISK_TYPE] is the type of persistent disk, either pd-standard or pd-ssd.

Format and mount the disks before using them.

API

Follow the API instructions to create an instance from an image or a snapshot, but specify the subnet field in the request body. To add up to 128 secondary non-boot disks, use the initializeParams property for every disk you create. To add blank disks, do not add a source image. Optionally, you can specify the diskSizeGb, diskType, and labels properties.

...
"networkInterfaces": [
{
  "network": "global/networks/[NETWORK_NAME]",
  "subnetwork": "regions/[REGION]/subnetworks/[SUBNET_NAME]",
  "accessConfigs":
    {
      "name": "External NAT",
      "type": "ONE_TO_ONE_NAT"
    }
    {
      "initializeParams": {
         "diskSizeGb": "[SIZE_GB]",
         "sourceImage": "[IMAGE]"
    {
      "initializeParams": {
      "diskSizeGb": "[SIZE_GB]"
     }
 }...]

where:

[IMAGE] is the source image for the secondary disk. For blank disks don't specify an image source.
[SIZE_GB] is the disk size.
[DISK_TYPE] is the type of persistent disk, either pd-standard or pd-ssd.

Format and mount the disks before using them.

What's next?

Check the instance's status to see when it's ready to use.
Learn how to use snapshots to back up your persistent disks.
Learn more about images.
Learn more about containers.
Create and attach a secondary storage disk to your instance to store your data separately from the boot disk.
Create and start Windows Server or SQL Server instances.
Refer to the gcloud compute instances create command.
Learn how to reserve resources in a specific zone.
Connect to your instance.