Manage the nested virtualization constraint
This document describes how to check whether nested virtualization is enabled,and how to modify the boolean constraint that controls whether nestedvirtualization is enabled for your organization, project, or folder.
A boolean constraint within an organization policy determines whether you cancreate nested VMs. The boolean constraint for nested virtualization is arestriction, which means that when it is enforced, it tells the organizationpolicy to restrict the creation of nested VMs. For more information aboutboolean constraints, seeUnderstanding constraints.
TheDisable VM nested virtualization constraint is not enforced by default,so you do not have to modify any boolean constraint to enable nestedvirtualization. Even so, Google recommends explicitly setting the value of theconstraint so that your organization, folders, and projects don't rely on thedefault setting. If your project is not subordinate to an organization, theconstraint is not enforced by default and you can't change the constraint.
Before you begin
- If you haven't already, set upauthentication. Authentication verifies your identity for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
Install the Google Cloud CLI. After installation,initialize the Google Cloud CLI by running the following command:
gcloudinit
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.- Set a default region and zone.
REST
To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.
Install the Google Cloud CLI. After installation,initialize the Google Cloud CLI by running the following command:
gcloudinit
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.For more information, seeAuthenticate for using REST in the Google Cloud authentication documentation.
Check whether nested virtualization is allowed
Permissions required for this task
To perform this task, you must have the followingpermissions:
orgpolicy.policy.geton the organization, folder, or project
Check whether nested virtualization is allowed for an organization, folder, orproject by using the Google Cloud console, the Google Cloud CLI, orREST.
Console
Check whether you can create nested VMs in your organization, folder, orproject by checking if the boolean constraint for disabling nestedvirtualization is not enforced. If theDisable VM nested virtualizationconstraint is not enforced by the organization policy, then you can createnested VMs.
In the Google Cloud console, go to theOrganization policies page.
In the organization, folder, and project selector, select the entity toview the organization policies for.
Select theDisable VM nested virtualization constraint to open thePolicy details page.
View the value forEnforcement:
If the value isNot enforced, then nested virtualization isenabled, and you can create nested VMs.
If the value isEnforced, then nested virtualization is disabled,and you can't create nested VMs.
gcloud
Check the value of thecompute.disableNestedVirtualization booleanconstraint by using thegcloud resource-manager org-policies describecommand.
If the Google Cloud CLI output does not show a value forbooleanPolicy,then nested virtualization is allowed and you can create nested VMs.
If the Google Cloud CLI output value forbooleanPolicy isenforced: true,then the organization policy is enforcing the disable nested virtualizationconstraint and you can't create nested VMs.
gcloud resource-manager org-policies \ describe constraints/compute.disableNestedVirtualization \ (--organization=ORGANIZATION_ID | --folder=FOLDER_ID | --project=PROJECT_ID) --effective
Replace exactly one of the following:
ORGANIZATION_ID: the ID of the organization to getthe constraint value of. For a list of accessible organizations and theirIDs, run thegcloud organizations listcommand.FOLDER_ID: the ID of the folder to get theconstraint value of. For a list of accessible folders and their IDs, run thegcloud resource-manager folders listcommand.PROJECT_ID: the ID of the project to get theconstraint value of. For a list of accessible projects and their IDs, runthegcloud projects listcommand.
REST
Use REST to check the value of thecompute.disableNestedVirtualization boolean constraint, which determineswhether you can create nested VMs in your organization, folder, or project.
If the REST response doesn't return a value for"booleanPolicy"for the constraint, then nested virtualization is not disabled and you cancreate nested VMs.
If the value for"booleanPolicy" in the output is"enforced": true, thennested virtualization is disabled and you can't create nested VMs.
POST https://cloudresourcemanager.googleapis.com/v1/RESOURCE/RESOURCE_ID:getOrgPolicy{ "constraint": "compute.disableNestedVirtualization"}Replace the following:
RESOURCE: the resource to get the organizationpolicy for. Set to one of the following:organizations: calls theorganizations.getOrgPolicymethodfolders: calls thefolders.getOrgPolicymethodprojects: calls theprojects.getOrgPolicymethod
RESOURCE_ID: the organization, folder, or projecton which to check the status of the disable nested virtualizationconstraint
Modify the nested virtualization organization policy
Permissions required for this task
To perform this task, you must have the followingpermissions:
orgpolicy.policy.geton the organization, folder, or projectorgpolicy.policy.seton the organization, folder, or project
If you have the appropriate role, you can control whether an organization,folder, or project can create nested VMs. Control this enforcement by using theboolean constraint for nested virtualization.
Use the Google Cloud console, the Google Cloud CLI, or REST to enablenested virtualization for an organization, folder, or project.
Console
To enable nested virtualization, disable the enforcement of theDisable VMnested virtualization boolean constraint, and to disable nestedvirtualization, enable the enforcement of the boolean constraint.
In the Google Cloud console, go to theOrganization policies page.
In the organization, folder, and project selector, select the entity toedit the organization policies for.
Select theDisable VM nested virtualization constraint to open thePolicy details page.
ClickEdit, then selectCustomize.
UnderEnforcement, select one of the following enforcement optionsfor theDisable VM nested virtualization boolean constraint:
- On: enable enforcement and disable nested virtualization
- Off: disable enforcement and enable nested virtualization
ClickSave.
gcloud
Use thegcloud resource-manager org-policiescommand to enable ordisable enforcement of thecompute.disableNestedVirtualization organizationpolicy boolean constraint.
If you disable thecompute.disableNestedVirtualization constraint by usingthedisable-enforce command, then you can create VMs that have nestedvirtualization enabled.
If you enable the constraint by using theenable-enforce command, then youcan't create VMs that have nested virtualization enabled.
gcloud resource-manager org-policies \ ( disable-enforce | enable-enforce ) compute.disableNestedVirtualization \ (--organization=ORGANIZATION_ID | --folder=FOLDER_ID | --project=PROJECT_ID)
Replace exactly one of the following:
ORGANIZATION_ID: the ID of the organization tomodify the constraint value of. For a list of accessible organizations andtheir IDs, run thegcloud organizations listcommand.FOLDER_ID: the ID of the folder to modify theconstraint value of. For a list of accessible folders and their IDs, run thegcloud resource-manager folders listcommand.PROJECT_ID: the ID of the project to modify theconstraint value of. For a list of accessible projects and their IDs, runthegcloud projects listcommand.
REST
Use REST to modify the value of thecompute.disableNestedVirtualization boolean constraint, which determineswhether you can create nested VMs in your organization, folder, or project.
POST https://cloudresourcemanager.googleapis.com/v1/RESOURCE/RESOURCE_ID:setOrgPolicy{ "policy": { "booleanPolicy": { "enforced":ENFORCE }, "constraint": "constraints/compute.disableNestedVirtualization" }}Replace the following:
RESOURCE: the resource to modify the organizationpolicy of. Set this to one of the following:organizations: calls theorganizations.setOrgPolicymethodfolders: calls thefolders.setOrgPolicymethodprojects: calls theprojects.setOrgPolicymethod
RESOURCE_ID: the organization, folder, or projecton which to check the status of the disable nested virtualizationconstraintENFORCE: determines whether the organizationpolicy enforces thecompute.disableNestedVirtualizationbooleanconstraint. Set to one of the following:true: to enforce the constraint. With this setting you can't createVMs that have nested virtualization enabled.false: to not enforce the constraint. With this setting, you cancreate VMs that have nested virtualization enabled.
What's next
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.