At the core of Google Compute Engine are virtual machine instances that run on Google's infrastructure. Each virtual machine instance is considered an Instance resource and part of the Instance collection. When you create a virtual machine instance, you are creating an Instance resource that uses other resources, such as Disk resources, Network resources, Image resources, and so on. Each resource performs a different function. For example, a Disk resource functions as data storage for your virtual machine, similar to a physical hard drive, and a Network resource helps regulate traffic to and from your instances.
All resources belong to the global, regional, or zonal plane. For example, images are a global resource so they can be accessed from all other resources. Static IPs are a regional resource, and only resources that are part of the same region can use the static IPs in that region. Google Cloud Platform resources are hosted in multiple locations world-wide. These locations are composed of regions and zones within those regions. Putting resources in different zones in a region provides isolation for many types of infrastructure, hardware, and software failures. Putting resources in different regions provides an even higher degree of failure independence. This allows you to design robust systems with resources spread across different control planes.
Contents
Google Developers Console projects
Before you can start using Google Compute Engine, you must enable the service from the Google Developers Console. The Developers Console is designed to be a one-stop shop for you to create and manage multiple API "projects" at once. Each project is a totally compartmentalized world. Projects do not share resources, can have different owners and users, are billed separately, and are managed separately.
After Google Compute Engine is enabled, any resources you create or use in Google Compute Engine belong to the project. It is possible to have many projects with Google Compute Engine enabled. To differentiate between them, Google Compute Engine requires that you always identify the project you're working in when interacting with the Google Compute Engine service.
Identifying projects
In order to interact with Google Compute Engine resources, you must provide
identifying project information for every request. If you are using
gcloud compute
, you can save your project
ID so it is automatically provided for each request, but in the API, you must
always specify the project ID.
A project can be identified two ways: using a project ID , or a project number . A project ID is the customized name you chose when you created the project, or when you activated an API that required you to create a project ID. It can be found in the Dashboard of the project, and looks similar to the following:
When you specify your project ID, you need to include the full project ID,
including any domain if one is shown in your project ID. For example, when
using
gcloud compute
, you can specify your
project ID like so:
$ gcloud --project example.com:my-project compute instances create example-instance
gcloud
lets you save your project ID so that it is automatically provided for
each request. To set a default project, use the
gcloud config set
command:
$ gcloud config set project example.com:my-project
When you choose your project ID (or any resource names), avoid providing sensitive information in your names.
Alternatively, you can also use the project number to identify your project to Google Compute Engine. Your project number is unique to the project and can be found in the URL of the project:
Generally, we recommend using the project ID to identify your projects because it is easier to remember than the numeric ID.
Project team members
Projects have team members that can collaborate on and access the project to varying degrees. Team members can be added as an owner, editor, or viewer. Every project can have one or more owners, editors, and viewers. Depending on their role, team members can access Google Compute Engine resources for that project accordingly:
- To add or modify Google Compute Engine resources in a project, you need to be an owner or editor of that project.
- To list information about certain resources within a project, you need to be a viewer, owner, or editor of that project.
To add team members to a project, see managing project members .
For more information, see Projects .
Global resources
Global resources are accessible by any resource in any zone within the same project. When you create a global resource, you do not need to provide a scope specification. Global resources include:
- Images
- Images can be used by any instance or disk resource in the same project as the image. Google also provides preconfigured images that you can use to boot your instance, or you can customize an image to use instead.
- Snapshots
- Persistent disk snapshots are available to all disks within the same project as the snapshot.
- Network
- A network can be used by any instance in the same project.
- Firewalls
- Firewalls apply to a single network, but are considered a global resource because they can be used by any network in the same project.
- Routes
- Routes allow you to create complicated networking scenarios by letting you manage how traffic destined for a certain IP range should be routed, similar to how a router directs traffic within a local area network. Routes apply to networks within a Google Compute Engine project and are considered a global resource.
- Global operations
-
Operations are both a per-zone resource and a global resource. If you are performing an operation on a global resource, the operation is considered a global operation. For example, inserting an image would be considered a global operation, because images are a global resource.
Most of the global resources are briefly described below.
Image resources
When you start an instance, you must select an image to use. An image resource contains an operating system and root file system necessary for starting your instance. Google maintains and provides images that are ready-to-use or you can customize an image and use that as your image of choice for creating instances. Depending on your needs, you can also apply an image to a persistent disk and use the persistent disk as your root file system.
Images are a global resource, so you can use any image with an instance or disk. All your custom images are also global. For more information, see Images .
Snapshot resources
Persistent disk snapshots lets you copy data from an existing persistent disk and apply them to new persistent disks. This is especially useful for creating backups of your persistent disk data in cases of unexpected failures and zone maintenance events. Since snapshots are a global resource, you can apply a snapshot to any disk in any zone. If a persistent disk in a zone is taken offline, you can use snapshots to recreate the same disk in another zone of your choice.
For more information, see Persistent Disk Snapshots .
Network resources
A project has one or more Network resources that define how instances communicate with each other, with other networks, and with the outside world. Each instance belongs to a single network and any communication between instances in different networks must be through a public IP address.
A network defines the address range and gateway address of all instances connected to it, which you can configure to suit your needs. Networks are associated with Firewall resources, which allow you to specify the types of connections that are permitted into an instance. For example, you can configure the network and firewall resources of a specific instance so that the instance can have an externally visible IP address that lets it act as an HTTP server, or handle SSH, UDP, or other requests as defined by the network and firewall settings.
Networks belong to a single project but are a global resource; any instance within the same project as the network may use the network.
The default network
Every project comes preconfigured with a single Network resource named
default
. The
default
network includes two firewalls: a firewall that allows
all instances in the network to communicate over TCP/UDP/ICMP, and a firewall
that supports ssh into the network from outside. No other connections are
supported by default. You can modify or delete the default firewalls or add new
firewalls to your project's default network to customize how your instances
communicate with each other and the world.
Most users will not need to create any Networks above and beyond the
default
network.
For more information, see Networking and Firewalls .
Firewall resources
A Firewall resource contains one or more rules that permit connections into instances. Every firewall resource is associated with one and only one network. It is not possible to associate one firewall with multiple networks.
No communication is allowed into an instance unless a Firewall resource permits the network traffic, even between instances on the same network. However, an instance is always allowed to communicate out, unless it is trying to communicate through one of the blocked traffic sources . In other words, firewalls only apply to incoming connections. A firewall resource consists of:
- A set of allowed sources. This can either be explicit IP address ranges or a set of instances defined by a tag on the instance.
- A set of target VMs, defined by tags on the instances.
- A set of protocols and ports.
With these primitives, Google Compute Engine provides a flexible configuration to allow connections from any source or to any target. To get started, here are some firewall examples:
- A firewall that allows incoming TCP connections to port 80 and 443 on instances tagged 'frontend' from anywhere.