Stay organized with collectionsSave and categorize content based on your preferences.
Connect a TPU to a Shared VPC network
Configure a VPC host project
You need to grant the TPU Service Account
in yourservice projectpermissions to manage resources in thehost project.
You do this using the "TPU Shared VPC Agent" (roles/tpu.xpnAgent) role. Run
the followinggcloudcommands to grant this role binding.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Connect a TPU to a Shared VPC network\n=====================================\n\n| **Important:** This guide explains how to set up Cloud TPUs that use a centrally managed [Shared VPC network](/vpc/docs/overview). This document assumes you are familiar with VPCs and have created a Shared VPC. For more information on how to create and manage Shared VPC networks, see [Create and modify Shared VPC networks](/vpc/docs/create-modify-vpc-networks).\n\nConfigure a VPC host project\n----------------------------\n\nYou need to grant the TPU Service Account\nin your [service project](/vpc/docs/shared-vpc#concepts_and_terminology)\npermissions to manage resources in the [host project](/vpc/docs/shared-vpc#concepts_and_terminology).\nYou do this using the \"TPU Shared VPC Agent\" (`roles/tpu.xpnAgent`) role. Run\nthe following `gcloud` commands to grant this role binding. \n\n```bash\ngcloud projects add-iam-policy-binding host-project-id \\\n--member=serviceAccount:service-your-service-project-number@gcp-sa-tpu.iam.gserviceaccount.com \\\n--role=roles/tpu.xpnAgent\n```\n| **Note:** You can find your service project number in the project info section of the [Google Cloud console](https://console.cloud.google.com/) dashboard.\n\nCreate a TPU VM connected to a Shared VPC Network\n-------------------------------------------------\n\nFirst determine which accelerator types and versions are available in the zone \n\n```bash\ngcloud compute tpus accelerator-types list --zone zone\n``` \n\n```bash\ngcloud compute tpus versions list --zone zone\n```\n\nYou connect a TPU VM to a Shared VPC network when you create your TPU.\nSpecify your Shared VPC using the `--network` tag: \n\n```bash\ngcloud compute tpus tpu-vm create tpu-name \\\n --zone zone \\\n --accelerator-type accelerator-type \\\n --network projects/host-project-id/global/networks/host-network \\\n --version tpu-image-version \\\n --project your-service-project-id\n```\n| **Note:** The `--network` tag must be set to the fully qualified network name. For example, `projects/`\u003cvar translate=\"no\"\u003emy-host-project-id\u003c/var\u003e`/global/networks/`\u003cvar translate=\"no\"\u003emy-network\u003c/var\u003e.\n\nYou can verify your TPU VM is connected to your Shared VPC using\nthe `gcloud describe` command: \n\n```bash\n$ gcloud compute tpus tpu-vm describe tpu-name --zone zone\n```\n\nThe response includes the network to which your TPU VM is attached: \n\n```\nacceleratorType: v3-8\napiVersion: V2\ncidrBlock: 10.128.0.0/20\ncreateTime: '2022-06-17T21:32:13.859274143Z'\nhealth: HEALTHY\nid: '0000000000000000000'\nname: projects/my-project/locations/us-central1-b/nodes/my-tpu\nnetworkConfig:\n enableExternalIps: true\n network: projects/my-project/global/networks/default\n subnetwork: projects/my-project/regions/us-central1/subnetworks/default\nnetworkEndpoints:\n- accessConfig:\n externalIp: 000.000.000.000\n ipAddress: 10.128.0.104\n port: 8470\nruntimeVersion: tpu-vm-tf-2.8.0\nschedulingConfig: {}\nserviceAccount:\n email: 00000000000-compute@developer.gserviceaccount.com\n scope:\n - https://www.googleapis.com/auth/devstorage.read_write\n - https://www.googleapis.com/auth/logging.write\n - https://www.googleapis.com/auth/service.management\n - https://www.googleapis.com/auth/servicecontrol\n - https://www.googleapis.com/auth/cloud-platform\n - https://www.googleapis.com/auth/pubsub\nshieldedInstanceConfig: {}\nstate: READY\n```\n\nDelete the TPU VM\n-----------------\n\nWhen you are done with the TPU VM, make sure to delete it. \n\n```bash\ngcloud compute tpus tpu-vm delete tpu-name --zone zone\n```"]]
