Connect a TPU to a Shared VPC network

Configure a VPC host project

You need to grant the TPU Service Account in your service project permissions to manage resources in the host project. You do this using the "TPU Shared VPC Agent" (roles/tpu.xpnAgent) role. Run the following gcloud commands to grant this role binding.

gcloud projects add-iam-policy-binding host-project-id \
--member=serviceAccount:service-your-service-project-number@gcp-sa-tpu.iam.gserviceaccount.com \
--role=roles/tpu.xpnAgent

Create a TPU VM connected to a Shared VPC Network

First determine which accelerator types and versions are available in the zone

gcloud compute tpus accelerator-types list --zone zone

gcloud compute tpus versions list --zone zone

You connect a TPU VM to a Shared VPC network when you create your TPU. Specify your Shared VPC using the --network tag:

gcloud compute tpus tpu-vm create tpu-name \
   --zone zone \
   --accelerator-type accelerator-type \
   --network projects/host-project-id/global/networks/host-network \
   --version tpu-image-version \
   --project your-service-project-id

You can verify your TPU VM is connected to your Shared VPC using the gcloud describe command:

$ gcloud compute tpus tpu-vm describe tpu-name --zone zone

The response includes the network to which your TPU VM is attached:

acceleratorType: v3-8
apiVersion: V2
cidrBlock: 10.128.0.0/20
createTime: '2022-06-17T21:32:13.859274143Z'
health: HEALTHY
id: '0000000000000000000'
name: projects/my-project/locations/us-central1-b/nodes/my-tpu
networkConfig:
  enableExternalIps: true
  network: projects/my-project/global/networks/default
  subnetwork: projects/my-project/regions/us-central1/subnetworks/default
networkEndpoints:
- accessConfig:
    externalIp: 000.000.000.000
  ipAddress: 10.128.0.104
  port: 8470
runtimeVersion: tpu-vm-tf-2.8.0
schedulingConfig: {}
serviceAccount:
  email: 00000000000-compute@developer.gserviceaccount.com
  scope:
  - https://www.googleapis.com/auth/devstorage.read_write
  - https://www.googleapis.com/auth/logging.write
  - https://www.googleapis.com/auth/service.management
  - https://www.googleapis.com/auth/servicecontrol
  - https://www.googleapis.com/auth/cloud-platform
  - https://www.googleapis.com/auth/pubsub
shieldedInstanceConfig: {}
state: READY

Delete the TPU VM

When you are done with the TPU VM, make sure to delete it.

gcloud compute tpus tpu-vm delete tpu-name --zone zone