This document describes how to check whether nested virtualization is enabled, and how to modify the boolean constraint that controls whether nested virtualization is enabled for your organization, project, or folder.
A boolean constraint within an organization policy determines whether you can create nested VMs. The boolean constraint for nested virtualization is a restriction, which means that when it is enforced, it tells the organization policy to restrict the creation of nested VMs. For more information about boolean constraints, see Understanding constraints.
The Disable VM nested virtualization constraint is not enforced by default, so you do not have to modify any boolean constraint to enable nested virtualization. Even so, Google recommends explicitly setting the value of the constraint so that your organization, folders, and projects don't rely on the default setting. If your project is not subordinate to an organization, the constraint is not enforced by default and you can't change the constraint.
Before you begin
-
If you haven't already, then set up authentication.
Authentication is
the process by which your identity is verified for access to Google Cloud services and APIs.
To run code or samples from a local development environment, you can authenticate to
Compute Engine by selecting one of the following options:
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
-
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
- Set a default region and zone.
REST
To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
For more information, see Authenticate for using REST in the Google Cloud authentication documentation.
-
Check whether nested virtualization is allowed
Check whether nested virtualization is allowed for an organization, folder, or project by using the Google Cloud console, the Google Cloud CLI, or REST.
Console
Check whether you can create nested VMs in your organization, folder, or project by checking if the boolean constraint for disabling nested virtualization is not enforced. If the Disable VM nested virtualization constraint is not enforced by the organization policy, then you can create nested VMs.
In the Google Cloud console, go to the Organization policies page.
In the organization, folder, and project selector, select the entity to view the organization policies for.
Select the Disable VM nested virtualization constraint to open the Policy details page.
View the value for Enforcement:
If the value is Not enforced, then nested virtualization is enabled, and you can create nested VMs.
If the value is Enforced, then nested virtualization is disabled, and you can't create nested VMs.
gcloud
Check the value of the compute.disableNestedVirtualization
boolean
constraint by using the gcloud resource-manager org-policies describe
command.
If the Google Cloud CLI output does not show a value for booleanPolicy
,
then nested virtualization is allowed and you can create nested VMs.
If the Google Cloud CLI output value for booleanPolicy
is enforced: true
,
then the organization policy is enforcing the disable nested virtualization
constraint and you can't create nested VMs.
gcloud resource-manager org-policies \ describe constraints/compute.disableNestedVirtualization \ (--organization=ORGANIZATION_ID | --folder=FOLDER_ID | --project=PROJECT_ID) --effective
Replace exactly one of the following:
ORGANIZATION_ID
: the ID of the organization to get the constraint value of. For a list of accessible organizations and their IDs, run thegcloud organizations list
command.FOLDER_ID
: the ID of the folder to get the constraint value of. For a list of accessible folders and their IDs, run thegcloud resource-manager folders list
command.PROJECT_ID
: the ID of the project to get the constraint value of. For a list of accessible projects and their IDs, run thegcloud projects list
command.
REST
Use REST to check the value of the
compute.disableNestedVirtualization
boolean constraint, which determines
whether you can create nested VMs in your organization, folder, or project.
If the REST response doesn't return a value for "booleanPolicy"
for the constraint, then nested virtualization is not disabled and you can
create nested VMs.
If the value for "booleanPolicy"
in the output is "enforced": true
, then
nested virtualization is disabled and you can't create nested VMs.
POST https://cloudresourcemanager.googleapis.com/v1/RESOURCE/RESOURCE_ID:getOrgPolicy { "constraint": "compute.disableNestedVirtualization" }
Replace the following:
RESOURCE
: the resource to get the organization policy for. Set to one of the following:organizations
: calls theorganizations.getOrgPolicy
methodfolders
: calls thefolders.getOrgPolicy
methodprojects
: calls theprojects.getOrgPolicy
method
RESOURCE_ID
: the organization, folder, or project on which to check the status of the disable nested virtualization constraint
Modify the nested virtualization organization policy
If you have the appropriate role, you can control whether an organization, folder, or project can create nested VMs. Control this enforcement by using the boolean constraint for nested virtualization.
Use the Google Cloud console, the Google Cloud CLI, or REST to enable nested virtualization for an organization, folder, or project.
Console
To enable nested virtualization, disable the enforcement of the Disable VM nested virtualization boolean constraint, and to disable nested virtualization, enable the enforcement of the boolean constraint.
In the Google Cloud console, go to the Organization policies page.
In the organization, folder, and project selector, select the entity to edit the organization policies for.
Select the Disable VM nested virtualization constraint to open the Policy details page.
Click Edit, then select Customize.
Under Enforcement, select one of the following enforcement options for the Disable VM nested virtualization boolean constraint:
- On: enable enforcement and disable nested virtualization
- Off: disable enforcement and enable nested virtualization
Click Save.
gcloud
Use the gcloud resource-manager org-policies
command to enable or
disable enforcement of the compute.disableNestedVirtualization
organization
policy boolean constraint.
If you disable the compute.disableNestedVirtualization
constraint by using
the disable-enforce
command, then you can create VMs that have nested
virtualization enabled.
If you enable the constraint by using the enable-enforce
command, then you
can't create VMs that have nested virtualization enabled.
gcloud resource-manager org-policies \ ( disable-enforce | enable-enforce ) compute.disableNestedVirtualization \ (--organization=ORGANIZATION_ID | --folder=FOLDER_ID | --project=PROJECT_ID)
Replace exactly one of the following:
ORGANIZATION_ID
: the ID of the organization to modify the constraint value of. For a list of accessible organizations and their IDs, run thegcloud organizations list
command.FOLDER_ID
: the ID of the folder to modify the constraint value of. For a list of accessible folders and their IDs, run thegcloud resource-manager folders list
command.PROJECT_ID
: the ID of the project to modify the constraint value of. For a list of accessible projects and their IDs, run thegcloud projects list
command.
REST
Use REST to modify the value of the
compute.disableNestedVirtualization
boolean constraint, which determines
whether you can create nested VMs in your organization, folder, or project.
POST https://cloudresourcemanager.googleapis.com/v1/RESOURCE/RESOURCE_ID:setOrgPolicy { "policy": { "booleanPolicy": { "enforced": ENFORCE }, "constraint": "constraints/compute.disableNestedVirtualization" } }
Replace the following:
RESOURCE
: the resource to modify the organization policy of. Set this to one of the following:organizations
: calls theorganizations.setOrgPolicy
methodfolders
: calls thefolders.setOrgPolicy
methodprojects
: calls theprojects.setOrgPolicy
method
RESOURCE_ID
: the organization, folder, or project on which to check the status of the disable nested virtualization constraintENFORCE
: determines whether the organization policy enforces thecompute.disableNestedVirtualization
boolean constraint. Set to one of the following:true
: to enforce the constraint. With this setting you can't create VMs that have nested virtualization enabled.false
: to not enforce the constraint. With this setting, you can create VMs that have nested virtualization enabled.