Use a shielded virtual machine with user-managed notebooks

So you can be confident that your instances have not been compromised by boot- or kernel-level malware or rootkits, Shielded VM offers verifiable integrity of Compute Engine VM instances. Shielded VM's verifiable integrity is achieved through the use of Secure Boot, virtual trusted platform module (vTPM)-enabled Measured Boot, and integrity monitoring.

For more information, see Shielded VM.

Requirements and limitations

To use Shielded VM with user-managed notebooks, you must create a Deep Learning VM Images with a Debian 10 OS that is version M51 or higher.

While using Vertex AI Workbench, you can't use shielded VM user-managed notebooks instances that use GPU accelerators.

Create a user-managed notebooks instance using a shielded VM

To create a shielded VM that you can use with user-managed notebooks, complete the following steps:

  1. Select the image family that you want your instance to be based on. Use the following Google Cloud CLI command to list the available image families that are compatible with user-managed notebooks and Shielded VM. You can run the command in Cloud Shell or any environment where the Google Cloud CLI is installed.

    gcloud compute images list \
        --project deeplearning-platform-release \
        --no-standard-images | grep debian-10
    
  2. Use the following command to create the Compute Engine instance.

    gcloud compute instances create nb-legacy2 \
        --image-project=deeplearning-platform-release \
        --image-family=MY_IMAGE_FAMILY \
        --metadata="proxy-mode=service_account" \
        --scopes=https://www.googleapis.com/auth/cloud-platform \
        --shielded-secure-boot \
        --zone=MY_ZONE
    

    Replace the following:

    • MY_IMAGE_FAMILY: the image family name that you want to use to create your VM
    • MY_ZONE: the zone where you want your instance to be located
  3. Register your Compute Engine VM with the Notebooks API.

What's next