Shared VPC networks

This guide explains how to set up Cloud TPUs that use a centrally managed Shared VPC network. A shared VPC network allows your organization to connect resources from multiple projects to a common network.

Before you begin

  1. If you don't have the Google Cloud SDK install, install it now.
  2. Initialize the Google Cloud SDK.
  3. Get familiar with Shared VPC concepts.
  4. Enable a host project that contains one or more Shared VPC networks. This must be done by a Shared VPC admin.
  5. Attach one or more service projects to your Shared VPU network. This must be done by a Shared VPC admin.
  6. Create a VPC network in the host project.

Configure Private Service Access

Private Services Access is used to create a VPC peering between your network and the Cloud TPU service network. Before you use TPUs with Shared VPCs, you need to establish a private service access connection for the network.

  1. Get the project ID for your Shared VPC host project, and then configure the gcloud command-line tool command with your project ID as shown below:

      gcloud config set project project-id

    You can get the project ID from the Google Cloud console.

  2. Enable the Service Networking API using the following gcloud command-line tool command. 

      gcloud services enable servicenetworking.googleapis.com

    You can also enable the Service Networking API from the Google Cloud Console.

  3. Allocate a reserved address range for use by Service Networking. The prefix-length needs to be 24 or less. For example:

    gcloud compute addresses create SN-RANGE-1 --global \
--addresses=10.110.0.0 \
--prefix-length=16 \
--purpose=VPC_PEERING \
--network=network-name

  4. Establish a private service access connection.

      gcloud services vpc-peerings connect --service=servicenetworking.googleapis.com --ranges=SN-RANGE-1 --network=network-name

  5. Check if a Private Services Access connection has been established for the network. If it's already established, you can start using TPUs with the Shared VPC.

Verify Private Services Access

Check whether a Private Services Access connection has been established for your network by running following command:

gcloud services vpc-peerings list --network=network-name

Use TPUs with Shared VPC Networks

After you have established your VPC network with the Google service network, you can start provisioning Cloud TPUs.

Configure gcloud command-line tool

  1. Create a variable for your project's ID.

    export PROJECT_ID=project-id

  2. Configure gcloud command-line tool to use the project where you want to create Cloud TPU.

    gcloud config set project ${PROJECT_ID}

Activate TPU API

In order to use Cloud TPUs, you need to activate TPU API in your project. Run the following gcloud command-line tool command to enable the TPU API.

gcloud services enable tpu.googleapis.com

You may also enable it in the Google Cloud Console.

Activate Service Networking API

In order to create TPUs with Shared VPC networks, you need to activate the Service Networking API in the service project. This only needs to be done once per Cloud Platform Project. Run the following gcloud command-line tool command to enable Service Networking API.

gcloud services enable servicenetworking.googleapis.com

You can also enable it from the Google Cloud Console.

Create TPUs

You can launch a Compute Engine VM and Cloud TPU using the gcloud command-line tool command. The command you use depends on whether you are using TPU VMs or TPU nodes. For more information, see System Architecture.

TPU VM

$ gcloud alpha compute tpus tpu-vm create tpu-name \
  --zone=zone \
  --accelerator-type=v3-8 \
  --version=tpu-vm-tf-2.7.0

TPU Node

$ gcloud compute tpus execution-groups create \
  --name=tpu-name \
  --zone zone \
  --tf-version=2.7.0 \
  --machine-type=n1-standard-1 \
  --accelerator-type=v3-8 \
  --network network-name \
  --use-service-networking

  • You need to set use-service-networking to true to create Cloud TPUs that can connect to Shared VPC networks.

  • The network field should include the host project ID or host project number and the network name. For example, projects/my-host-project-id/global/networks/my-network.

  • For information about what GCP zones support Cloud TPUs, see available zones.

For more information about working with TPUs see Cloud TPU User's Guide.

Delete the VPC peering

A peering connection can be disconnected using the compute networking API. These calls should be made in Shared VPC host projects.

  1. List all VPC peerings.

    gcloud compute networks peerings list --network=network-name

  2. Delete a VPC peering.

    gcloud compute networks peerings delete peering-name --network=network-name