Manage the nested virtualization constraint

Linux

This document describes how to check whether nested virtualization is enabled, and how to modify the boolean constraint that controls whether nested virtualization is enabled for your organization, project, or folder.

A boolean constraint within an organization policy determines whether you can create nested VMs. The boolean constraint for nested virtualization is a restriction, which means that when it is enforced, it tells the organization policy to restrict the creation of nested VMs. For more information about boolean constraints, see Understanding constraints.

The Disable VM nested virtualization constraint is not enforced by default, so you do not have to modify any boolean constraint to enable nested virtualization. Even so, Google recommends explicitly setting the value of the constraint so that your organization, folders, and projects don't rely on the default setting. If your project is not subordinate to an organization, the constraint is not enforced by default and you can't change the constraint.

Before you begin

If you haven't already, then set up authentication. Authentication is the process by which your identity is verified for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:

Select the tab for how you plan to use the samples on this page:
Console

When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
1. Install the Google Cloud CLI, then initialize it by running the following command:
```
gcloud init
```
  Note: If you installed the gcloud CLI previously, make sure you have the latest version by running gcloud components update.
2. Set a default region and zone.
REST

To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.
For more information, see Authenticate for using REST in the Google Cloud authentication documentation.

Check whether nested virtualization is allowed

Permissions required for this task

To perform this task, you must have the following permissions:

orgpolicy.policy.get on the organization, folder, or project

Check whether nested virtualization is allowed for an organization, folder, or project by using the Google Cloud console, the Google Cloud CLI, or REST.

Console

Check whether you can create nested VMs in your organization, folder, or project by checking if the boolean constraint for disabling nested virtualization is not enforced. If the Disable VM nested virtualization constraint is not enforced by the organization policy, then you can create nested VMs.

In the Google Cloud console, go to the Organization policies page.

Go to Organization policies
In the organization, folder, and project selector, select the entity to view the organization policies for.
Select the Disable VM nested virtualization constraint to open the Policy details page.
View the value for Enforcement:
- If the value is Not enforced, then nested virtualization is enabled, and you can create nested VMs.
- If the value is Enforced, then nested virtualization is disabled, and you can't create nested VMs.

gcloud

Check the value of the compute.disableNestedVirtualization boolean constraint by using the gcloud resource-manager org-policies describe command.

If the Google Cloud CLI output does not show a value for booleanPolicy, then nested virtualization is allowed and you can create nested VMs.

If the Google Cloud CLI output value for booleanPolicy is enforced: true, then the organization policy is enforcing the disable nested virtualization constraint and you can't create nested VMs.

gcloud resource-manager org-policies \
  describe constraints/compute.disableNestedVirtualization \
  (--organization=ORGANIZATION_ID | --folder=FOLDER_ID |
  --project=PROJECT_ID) --effective

Replace exactly one of the following:

ORGANIZATION_ID: the ID of the organization to get the constraint value of. For a list of accessible organizations and their IDs, run the gcloud organizations list command.
FOLDER_ID: the ID of the folder to get the constraint value of. For a list of accessible folders and their IDs, run the gcloud resource-manager folders list command.
PROJECT_ID: the ID of the project to get the constraint value of. For a list of accessible projects and their IDs, run the gcloud projects list command.

REST

Use REST to check the value of the compute.disableNestedVirtualization boolean constraint, which determines whether you can create nested VMs in your organization, folder, or project.

If the REST response doesn't return a value for "booleanPolicy" for the constraint, then nested virtualization is not disabled and you can create nested VMs.

If the value for "booleanPolicy" in the output is "enforced": true, then nested virtualization is disabled and you can't create nested VMs.

POST https://cloudresourcemanager.googleapis.com/v1/RESOURCE/RESOURCE_ID:getOrgPolicy

{
  "constraint": "compute.disableNestedVirtualization"
}

Replace the following:

RESOURCE: the resource to get the organization policy for. Set to one of the following:
- organizations: calls the organizations.getOrgPolicy method
- folders: calls the folders.getOrgPolicy method
- projects: calls the projects.getOrgPolicy method
RESOURCE_ID: the organization, folder, or project on which to check the status of the disable nested virtualization constraint

Modify the nested virtualization organization policy

Permissions required for this task

To perform this task, you must have the following permissions:

orgpolicy.policy.get on the organization, folder, or project
orgpolicy.policy.set on the organization, folder, or project

If you have the appropriate role, you can control whether an organization, folder, or project can create nested VMs. Control this enforcement by using the boolean constraint for nested virtualization.

Use the Google Cloud console, the Google Cloud CLI, or REST to enable nested virtualization for an organization, folder, or project.

Console

To enable nested virtualization, disable the enforcement of the Disable VM nested virtualization boolean constraint, and to disable nested virtualization, enable the enforcement of the boolean constraint.

In the Google Cloud console, go to the Organization policies page.

Go to Organization policies
In the organization, folder, and project selector, select the entity to edit the organization policies for.
Select the Disable VM nested virtualization constraint to open the Policy details page.
Click Edit, then select Customize.
Under Enforcement, select one of the following enforcement options for the Disable VM nested virtualization boolean constraint:
- On: enable enforcement and disable nested virtualization
- Off: disable enforcement and enable nested virtualization
Click Save.

gcloud

Use the gcloud resource-manager org-policies command to enable or disable enforcement of the compute.disableNestedVirtualization organization policy boolean constraint.

If you disable the compute.disableNestedVirtualization constraint by using the disable-enforce command, then you can create VMs that have nested virtualization enabled.

If you enable the constraint by using the enable-enforce command, then you can't create VMs that have nested virtualization enabled.

gcloud resource-manager org-policies \
  ( disable-enforce | enable-enforce ) compute.disableNestedVirtualization \
  (--organization=ORGANIZATION_ID | --folder=FOLDER_ID |
  --project=PROJECT_ID)

Replace exactly one of the following:

ORGANIZATION_ID: the ID of the organization to modify the constraint value of. For a list of accessible organizations and their IDs, run the gcloud organizations list command.
FOLDER_ID: the ID of the folder to modify the constraint value of. For a list of accessible folders and their IDs, run the gcloud resource-manager folders list command.
PROJECT_ID: the ID of the project to modify the constraint value of. For a list of accessible projects and their IDs, run the gcloud projects list command.

REST

Use REST to modify the value of the compute.disableNestedVirtualization boolean constraint, which determines whether you can create nested VMs in your organization, folder, or project.

POST https://cloudresourcemanager.googleapis.com/v1/RESOURCE/RESOURCE_ID:setOrgPolicy

{
  "policy": {
    "booleanPolicy": {
      "enforced": ENFORCE
    },
    "constraint": "constraints/compute.disableNestedVirtualization"
  }
}

Replace the following:

RESOURCE: the resource to modify the organization policy of. Set this to one of the following:
- organizations: calls the organizations.setOrgPolicy method
- folders: calls the folders.setOrgPolicy method
- projects: calls the projects.setOrgPolicy method
RESOURCE_ID: the organization, folder, or project on which to check the status of the disable nested virtualization constraint
ENFORCE: determines whether the organization policy enforces the compute.disableNestedVirtualization boolean constraint. Set to one of the following:
- true: to enforce the constraint. With this setting you can't create VMs that have nested virtualization enabled.
- false: to not enforce the constraint. With this setting, you can create VMs that have nested virtualization enabled.

Manage the nested virtualization constraint

Before you begin

Console

gcloud

REST

Check whether nested virtualization is allowed

Permissions required for this task

Console

gcloud

REST

Modify the nested virtualization organization policy

Permissions required for this task

Console

gcloud

REST

What's next