Enable nested virtualization
This document describes how to enable nested virtualization on a virtual machine(VM) instance and how to confirm that you can create a nested VM. Enable nestedvirtualization on a VM by using one of the following methods:
Recommended. Enable nested virtualization directly on a new or existing VMby setting the
enableNestedVirtualizationfield totruewhile creating theVM or by updating the VM. This is the recommended method because it doesn'trequire that you create a custom image or use the special license key.Enable nested virtualization by using the special license key by creating aboot disk, creating a custom image with the special nested virtualizationlicense key, and then creating a VM that uses the custom image.
Before you begin
- If you haven't already, set upauthentication. Authentication verifies your identity for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:
Select the tab for how you plan to use the samples on this page:
gcloud
Install the Google Cloud CLI. After installation,initialize the Google Cloud CLI by running the following command:
gcloudinit
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.- Set a default region and zone.
REST
To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.
Install the Google Cloud CLI. After installation,initialize the Google Cloud CLI by running the following command:
gcloudinit
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.For more information, seeAuthenticate for using REST in the Google Cloud authentication documentation.
Enable nested virtualization directly on a new VM
Permissions required for this task
To perform this task, you must have the followingpermissions:
- For enabling nested virtualization directly on a new VM, you need the
compute.instances.createpermissions on the project, folder, or organization.
Enable nested virtualization directly on a VM by using the following procedure.
gcloud
Create an L1 VM with nested virtualization enabled by using thefollowinggcloud compute instances createcommand:
gcloud compute instances createVM_NAME \ --enable-nested-virtualization \ --zone=ZONE \ --min-cpu-platform="Intel Haswell"
Replace the following:
VM_NAME: the name of the new L1 VM with nestedvirtualization enabledZONE: the zone for the new L1 VM with nestedvirtualization enabled
REST
Create an L1 VM with nested virtualization enabled by using thefollowinginstances.insertmethod:
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances{ ... "name": "VM_NAME", ... "minCpuPlatform": "Intel Haswell", "advancedMachineFeatures": { "enableNestedVirtualization": true }, ...}Replace the following:
PROJECT_ID: the project IDZONE: the zone for the new L1 VM with nestedvirtualization enabledVM_NAME: the name of the new L1 VM with nestedvirtualization enabled
Enable nested virtualization directly on an existing VM
Permissions required for this task
To perform this task, you must have the followingpermissions:
- For enabling nested virtualization directly on a new VM, you need the
compute.instances.createpermissions on the project, folder, or organization.
Enable nested virtualization on an existing VM by using the following procedure.
gcloud
Export the properties of the VM by using the following
gcloud computeinstances exportcommand:gcloud compute instances exportVM_NAME \ --destination=YAML_FILE_PATH \ --zone=ZONE
Replace the following:
VM_NAME: the name of the VM from which toexport propertiesYAML_FILE_PATH: the path and file name of a.yaml file in which to save the exported configuration dataZONE: the zone that contains the VM
In the VM configuration file that was saved inFILE_PATH,update the value for
enableNestedVirtualization. If the value is not inthe file, add the following:advancedMachineFeatures: enableNestedVirtualization: true
"ERROR: (gcloud.compute.instances.update-from-file) Cannot parse YAML: [Expected type, add quotes (for field value, found True (type )]" ' ') around any label values ofyesornoin the exported instance configuration file. This indicates the values are strings, not Boolean values.Update the VM with the value for
enableNestedVirtualizationby usingthe followinggcloud compute instances update-from-filecommand:gcloud compute instances update-from-fileVM_NAME \ --source=FILE_PATH \ --most-disruptive-allowed-action=RESTART \ --zone=ZONE
Replace the following:
VM_NAME: the name of the VM to updateFILE_PATH: the path to the updated VMconfiguration fileZONE: the zone that contains the VM to update
REST
Update the value forenableNestedVirtualization by using the followinginstances.update method:
PUT https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME?most_disruptive_allowed_action=RESTART{ ⋮ "advanced_machine_features": { ⋮ "enableNestedVirtualization": "true" }, ⋮}Replace the following:
PROJECT_ID: the ID of the projectZONE: the zone that contains the VMVM_NAME: the name of the VM from which to exportproperties
Enable nested virtualization by using the special license key
Permissions required for this task
To perform this task, you must have the followingpermissions:
compute.disks.createon the project, folder, or organizationcompute.images.createon the project, folder, or organizationcompute.disks.deleteon the project, folder, or organizationcompute.instances.createon the project, folder, or organization
You can enable nested virtualization on VM by creating a custom image with aspecial license key that enables VMX on the L1 VM. The license key does notincur additional charges.
Create a boot disk from a public image or from a custom image. The followingexample uses
debian-cloudfor the image project anddebian-10for theimage family. If you already have a VM instance with an existing disk, youcan skip this step.gcloud
gcloud compute disks createDISK_NAME \ --zone=ZONE \ --image-project=debian-cloud \ --image-family=debian-10
Replace the following:
DISK_NAME: the name of the new diskZONE: the zone to create the disk in
REST
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/disks{ ... "name": "DISK_NAME", "sourceImage": "projects/debian-cloud/global/images/family/debian-10", ...}Replace the following:
PROJECT_ID: the project IDZONE: the zone to create the disk inDISK_NAME: the name of the new disk
Create a custom image with the special license key that is required fornested virtualization.
gcloud
gcloud compute images createIMAGE_NAME \ --source-diskDISK_NAME \ --source-disk-zoneZONE \ --licenses "https://www.googleapis.com/compute/v1/projects/vm-options/global/licenses/enable-vmx"
Replace the following:
IMAGE_NAME: the name of the new imageDISK_NAME: the name of the previously createddiskZONE: the zone to create the image in
REST
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/images{ ... "licenses": ["projects/vm-options/global/licenses/enable-vmx"], "name": "IMAGE_NAME", "sourceDisk": "zones/ZONE/disks/DISK_NAME", ...}Replace the following:
PROJECT_ID: the project IDIMAGE_NAME: the name of the new imageZONE: the zone to create the image inDISK_NAME: the name of the previously createddisk
Optionally delete the source disk after creating the image with the speciallicense.
gcloud
gcloud compute disks deleteDISK_NAME --zone=ZONE
Replace the following:
DISK_NAME: the name of the disk to deleteZONE: the zone containing the disk to delete
REST
DELETE https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/disks/DISK_NAME
Replace the following:
PROJECT_ID: the project IDZONE: the zone containing the disk to deleteDISK_NAME: the name of the disk to delete
Create a VM that uses the new image with the special license. The minimum CPUplatform must be
"Intel Haswell".gcloud
gcloud compute instances createVM_NAME \ --zone=ZONE \ --min-cpu-platform "Intel Haswell" \ --imageIMAGE_NAME
Replace the following:
VM_NAME: the name of the VMZONE: the zone to create the VM inIMAGE_NAME: the name of the previously createdimage
REST
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances{ ... "name": "VM_NAME", "minCpuPlatform": "Intel Haswell", "disks": [ { "initializeParams": { "sourceImage": "IMAGE_NAME" } } ] ...}Replace the following:
PROJECT_ID: the project IDVM_NAME: the name of the VMZONE: the zone to create the VM inIMAGE_NAME: the name of the previously createdimage
Confirm that nested virtualization is enabled on the VM
Connect to the VM instance.
gcloud compute sshVM_NAME
Replace
VM_NAMEwith the name of the VM to connectto.Confirm that nested virtualization is enabled. Any response other than
0confirms that nested virtualization is enabled.grep -cw vmx /proc/cpuinfo
What's next
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.