Adding and Removing Network Tags

Network tags are used by networks to identify which Compute Engine virtual machine (VM) instances are subject to certain firewall rules and network routes. For example, if you have several VM instances that are serving a large website, tag these instances with a shared word or term and then use that tag to apply a firewall rule that allows HTTP access to those instances. Tags are also reflected in the metadata server, so you can use them for applications running on your instances. When you create a firewall rule, you can provide either sourceRanges or sourceTags but not both.

For routes, tags are used to identify which VM instances a certain route applies to. For example, you might create a route that applies to all VM instances that have been tagged with the string vpn.

Restrictions

  • You can assign up to 256 tags to an instance.
  • Duplicate tags are not allowed on an instance
  • Tag values cannot be longer than 63 characters each.
  • Tag values can only contain lowercase letters, numeric characters, and dashes.
  • Tag values must start and end with either a number or a lowercase character.

Adding new tags to VM instances

Console

  1. Go to the VM Instances page.
  2. Click on the instance you want to add or update tags for.
  3. Click the Edit button to edit the instance.
  4. Make changes in the Network tags section.
  5. Save your changes.

gcloud

To assign or update tags for a running instance using gcloud compute, use the instances add-tags command:

gcloud compute instances add-tags [INSTANCE_NAME] --tags tag-1,tag-2

The gcloud tool automatically gets and provides the fingerprint for your request and also ensures that any existing tags you have are still applied to the instance if you did not explicitly specify that tag. This is different from direct API requests, where you must provide the fingerprint and explicitly provide new tags and any existing tags you want to keep.

API

Caution: Updating tags in the API will override any existing tags you have. If you need to keep existing tags, make sure to include all of the tags you want to apply to the instance in your request. For example, to add a tag my-awesome-vm to a list of current tags that includes butter, cheese, and milk, make sure your request contains all four tags.

To update or add a tag, make a POST request to the instance().setTags method. The request body must contain the tags you want to add or update and the latest fingerprint value. Similar to the process of updating metadata, a matching fingerprint is required so that only one update can be made at a time, preventing any collisions with other requests. For example:

POST https://www.googleapis.com/compute/v1/projects/myproject/zones/us-central1-f/instances/example-instance/setTags

{
 "items": [
  "butter",
  "cheese",
  "milk",
  "my-awesome-vm"
 ],
 "fingerprint": "a_a9fkXkDsA="
}

 200 OK

{ "kind": "compute#operation", "id": "9251830049681941507", "name": "operation-1442414898862-51fde63aa57b1-422323e0-c439fb04", "zone": "https://www.googleapis.com/compute/v1/projects/myproject/zones/us-central1-f", "operationType": "setTags", "targetLink": "https://www.googleapis.com/compute/v1/projects/myproject/zones/us-central1-f/instances/example-instance", "targetId": "4392196237934605253", "status": "PENDING", "user": "user@example.com", "progress": 0, "insertTime": "2015-09-16T07:48:18.946-07:00", "startTime": "2015-09-16T07:48:19.208-07:00", "selfLink": "https://www.googleapis.com/compute/v1/projects/..." }

Removing network tags

Console

  1. Go to the VM Instances page.
  2. Click on the instance you want to update tags for.
  3. Click the Edit button to edit the instance.
  4. Under Network tags, click the X for tags you want to remove.
  5. Save your changes.

gcloud

To remove tags using the gcloud tool, use the instances remove-tags command:

gcloud compute instances remove-tags [INSTANCE_NAME] --tags tag-1,tag-2

gcloud automatically gets and provides the fingerprint for your request and also ensures that any existing tags you have are still applied to the instance if you did not explicitly specify that tag. This is different from direct API requests, where you must provide the fingerprint and explicitly specify existing tags you want to keep.

API

Caution: Updating tags in the API will override any existing tags you have. If you need to keep existing tags, make sure to include those tags in your request. For example, to remove a tag my-awesome-vm from a list of current tags that includes butter, cheese, and milk, make sure your request contains all tags but the my-awesome-vm tag.

To remove a tag, make a POST request to the instance().setTags method. The request body must contain the resulting list of the tags you want on the instance, omitting the tags you want to remove, along with the latest fingerprint value. Similar to the process of updating metadata, a matching fingerprint is required so that only one update can be made at a time, preventing any collisions with other requests.

For example, to remove my-awesome-vm from the list of tags but keep butter, cheese, and milk, the API request would contain the latter three tags and omit the my-awesome-vm tag:

POST https://www.googleapis.com/compute/v1/projects/myproject/zones/us-central1-f/instances/example-instance/setTags

{
 "items": [
  "butter",
  "cheese",
  "milk"
 ],
 "fingerprint": "a_a9fkXkDsA="
}

 200 OK

{ "kind": "compute#operation", "id": "9251830049681941507", "name": "operation-1442414898862-51fde63aa57b1-422323e0-c439fb04", "zone": "https://www.googleapis.com/compute/v1/projects/myproject/zones/us-central1-f", "operationType": "setTags", "targetLink": "https://www.googleapis.com/compute/v1/projects/myproject/zones/us-central1-f/instances/example-instance", "targetId": "4392196237934605253", "status": "PENDING", "user": "user@example.com", "progress": 0, "insertTime": "2015-09-16T07:48:18.946-07:00", "startTime": "2015-09-16T07:48:19.208-07:00", "selfLink": "https://www.googleapis.com/compute/v1/projects/..." }

Getting a tag fingerprint

When you update tags in the API, you must provide the latest fingerprint in your request to prevent collisions with other potential requests. To get the latest tag fingerprint, make a request to get information about the VM instance. The latest tag fingerprint is returned as part of the response. A fingerprint is required only when updating or adding tags through the API.

gcloud

In gcloud, run the following command, replacing example-instance with the instance name. Look for the fingerprint property under tags property:

gcloud compute instances describe example-instance

...
tags:
fingerprint: 42WmSpB8rSM=

API

In the API, perform a GET request to the instance and look for the tags.fingerprint property:

GET https://www.googleapis.com/compute/v1/projects/myproject/zones/us-central1-f/instances/example-instance

200 OK

{ ... "tags": { "items": [ "butter", "cheese" ], "fingerprint": "MW8EqhxILtc=" }, ... }

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...