Dataproc Confidential Compute

You can create a Dataproc cluster that usesCompute Engine Confidential VMsto provide inline memory encryption. Confidential VMs use theN2D machine type (with AMD SecureEncrypted Virtualization (SEV)).

Create a cluster with confidential VMs

gcloud command

To create a Dataproc cluster that uses confidential VMs, use thegcloud dataproc clusters create commandwith the--confidential-compute, flag.

Requirements:

  • The master and worker instances must use theN2D machine type (with AMD Secure Encrypted Virtualization (SEV)).
  • The cluster must use one of thesupported Ubuntu images.
  • The cluster must be created in a region and Compute Engine zone that supports theAMD EPYC Rome CPU (N2D machine type) used by confidential VMs (see theCPUs column inAvailable regions and zones). You can run the following command to list the CPUs supported in a Compute Engine zone:
    gcloud compute zones describeZONE_NAME --format="value(availableCpuPlatforms)"
gcloud dataproc clusters createcluster-name \      --confidential-compute \      --image-version=Ubuntu image version \    --region=region with zone that supports the AMD EPYC Rome CPU \    --zone=zone within the region that supports the AMD EPYC Rome CPU \    --master-machine-type=N2D machine type \      --worker-machine-type=N2D machine type" \      other args ...

REST API

To create a Dataproc cluster that uses confidential VMs, includetheConfidentialInstanceConfigas part of aclusters.create request. SetenableConfidentialCompute totrue.

Requirements:

  • masterConfig.machineTypeUrimasterConfig.machineTypeUri, and, if applicable,secondaryWorkerConfig.machineTypeUri: Master and worker instances must use theN2D machine type (with AMD Secure Encrypted Virtualization (SEV)).
  • softwareConfig.imageVersion: The cluster must use one of thesupported Ubuntu images.
  • gceClusterConfig.zoneUri: The cluster must be created in a Compute Engine zone that supports the N2DAMD EPYC Rome CPU used by confidential VMs (see theCPUs column inAvailable regions and zones). You can run the following command to list the CPUs supported in a Compute Engine zone:
    gcloud beta compute zones describe"ZONE_NAME --format="value(availableCpuPlatforms)"

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.