Connecting TPUs with Shared VPC Networks

This guide explains how to set up Cloud TPUs that use a centrally managed Shared VPC network. Shared VPC allows an organization to connect resources from multiple projects to a common VPC network to communicate with each other securely and efficiently using internal IPs from that network.

Before you begin

  1. Configure the gcloud with your GCP project.
  2. Get familiar with Shared VPC concepts.
  3. Enable a host project that contains one or more Shared VPC networks. This must be done by a Shared VPC admin.
  4. Attach one or more service projects to your Shared VPU network. This must be done by a Shared VPC admin.
  5. Create a VPC network in the host project.

Configure Private Service Access

Private Services Access is used to create a VPC peering between your network and the Cloud TPU service network. Before you use TPUs with Shared VPCs, you need to establish a private service access connection for the network.

  1. Get the project ID for your Shared VPC host project, and then configure the gcloud command with your project ID as shown below:

      gcloud config set project your-network-host-project-id

    You can get the project ID from the Google Cloud console.

  2. Enable the Service Networking API using the following gcloud command.

      gcloud services enable servicenetworking.googleapis.com

    You can also enable the Service Networking API from the Google Cloud Console.

  3. Allocate a reserved address range for use by Service Networking. The prefix-length needs to be 24 or less. For example:

      gcloud compute addresses create SN-RANGE-1 --global 
    
    --addresses=10.110.0.0 
    
    --prefix-length=16 
    
    --purpose=VPC_PEERING 
    
    --network=your-host-network

  4. Establish a private service access connection.

      gcloud services vpc-peerings connect --service=servicenetworking.googleapis.com --ranges=SN-RANGE-1 --network=your-host-network

  5. Check if a Private Services Access connection has been established for the network. If it's already established, you can start using TPUs with the Shared VPC.

Verify Private Services Access

Check whether a Private Services Access connection has been established for your network by running following command:

gcloud services vpc-peerings list --network=network-name

Use TPUs with Shared VPC Networks

After you have established your VPC network with the Google service network, you can start provisioning Cloud TPUs.

Configure gcloud

  1. Create a variable for your project's ID.

    export PROJECT_ID=project-id

  2. Configure gcloud command-line tool to use the project where you want to create Cloud TPU.

    gcloud config set project ${PROJECT_ID}

Activate TPU API

In order to use Cloud TPUs, you need to activate TPU API in your project. Run the following gcloud command to enable the TPU API.

gcloud services enable tpu.googleapis.com

You may also enable it in the Google Cloud Console.

Activate Service Networking API

In order to create TPUs with Shared VPC networks, you need to activate the Service Networking API in the service project. This only needs to be done once per Cloud Platform Project. Run the following gcloud command to enable Service Networking API.

gcloud services enable servicenetworking.googleapis.com

You can also enable it from the Google Cloud Console.

Create TPUs

You can create Cloud TPUs through the gcloud CLI.

gcloud alpha/beta compute tpus create tpu-name --zone zone --accelerator-type $ACCELERATOR_TYPE --network $HOST_NETWORK --use-service-networking
  • Use gcloud alpha or beta track to create the TPUs.
  • You need to set use-service-networking to true so you can create Cloud TPUs that can connect to Shared VPC networks.
  • If you are using Shared VPC networks, the network field should include the host project ID or host project number and the network name. For example, projects/my-host-project-id/global/networks/my-network.
  • For information about what GCP zones support Cloud TPUs, see available zones.

Get information about a TPU

You can get the details of a TPU node through TPU API requests:

gcloud compute tpus describe tpu-name --zone zone

The response body contains information about an instance of a TPU Node, including the cidrBlock.

List TPUs

You can get a list of Cloud TPUs through TPU API requests:

gcloud compute tpus list tpu-name --zone zone

Delete TPUs

You can delete created Cloud TPUs through TPU API requests:

gcloud compute tpus delete tpu-name --zone zone

Delete the VPC peering

A peering connection can be disconnected using the compute networking API. These calls should be made in Shared VPC host projects.

  1. List all VPC peerings.

    gcloud compute networks peerings list --network=network-name

  2. Delete a VPC peering.

    gcloud compute networks peerings delete peering-name --network=network-name