Shared sole-tenant node groups are similar tolocal sole-tenant nodegroups.For example, shared node groups cost the same, consume the same quota, andreside under a parent project in theresource hierarchy.

The difference between shared node groups and local node groups is that otherprojects in your organization can provision virtual machine (VM) instances inthe shared node groups.

Sharing a node group across multiple projects or an organization can help you dothe following:

• Consolidate node groups that you manage into a single project and then sharethose nodes with other projects or the entire organization

• Decrease costs by deleting nodes after consolidating VMs from various projectsinto underutilized node groups

• Manage sole-tenant nodes with a single team

• Share sole-tenant nodes with smaller projects and retain security and accesscontrol boundaries between those projects

• Perform a live migration between node groups within the same project

• Improve the utilization of your node groups and reduce the number of reservedmaintenance nodes when using theMigrate within node group maintenance policy

The following diagram shows a node group that is shared with other projects sothat other departments that manage VMs in those projects can provision VMs in ashared node group.

Utilization benefits of shared node groups

The following table compares projects that use local node groups with projectsthat use shared node groups. Notice that vCPU underutilization decreases inprojects that use shared node groups.

Settings for sharing node groups

Compute Engine uses the following settings for sharing node groups andprovisioning VMs in the shared node groups:

• A share setting that you configure when you create or update the sole-tenantnode group. To specify whether to share the node group with other projects orwith the entire organization, use the gcloud CLI settings(--share-setting,--share-with) or REST settings(shareSetting,shareWith).

• A defaultcompute.googleapis.com/project node affinity label that you usewhen you provision a VM in a shared node group by using node affinity labels.For information about the other default node affinity labels, seeDefault affinity labels.

Maintenance policy considerations

When a node group uses theMigrate within node group maintenance policy,Compute Engine reserves at least 1 node for live migration events, sothe node group must have at least 2 nodes. You can't schedule VMs on thereserved node, so node groups with this maintenance policy often have loweroverall utilization. This makes workloads that require theMigrate within nodegroup maintenance policy good candidates for node group sharing, as they oftensee the greatest benefit from improved utilization.

IAM roles and permissions

Keep in mind the following information about IAM roles and permissions when youshare a node group:

• If a node group is shared with a project, any user that can create VMs in thelisted projects or in the organization can provision VMs from those projectsonto the shared node group without any changes to IAM roles or permissions.

• Thecompute.soleTenantViewer IAM role lets you list and view node groups(gcloud CLI/REST).You cannot modify node groups with this role. Any user with this role or withpermissions to list node groups, regardless of the IAM permissions on the VM,can view the project ID, name, machine type, and information about local SSDsand GPUs for all VMs in the node group.

Limitations

• Compliance regime limitations:

  • Regardless of the IAM permissions on the VM, any user with permissions tolist node groups can view the project ID, name, and machine type for all VMsin the node group. Thus, due to risk of cross-project informationdisclosure, projects that have VMs provisioned in shared node groups shouldbe under the samecompliance regime.

• Google Cloud console limitations:

  • If you don't have permission to view VMs on the shared node group, those VMswon't appear on the VM list on theSole-tenant nodes page in theGoogle Cloud console.
  • After modifying the sharing settings on theSole-tenant node groupspage, theShared with setting is not updated in the UI. To see theupdatedShared with setting, go to theSole-tenant nodes page.
  • After sharing a node group with all projects within an organization or withselected projects within an organization, you can only see the shared nodegroup from its owning project; you can't see the shared node group from theprojects it has been shared with. To provision a VM on the shared nodegroup, from the project that the node group is shared with, go to theVMinstances page, and then modify the sole tenancy node affinity labels.

• Sharing limitations:

  • You must update the sharing settings from the project that owns the nodegroup.
  • You can specify a maximum of 100 projects when you use theprojects sharesetting.
  • You cannot share node groups between organizations. For example, if youmigrate a project that containsa shared node group from one organization to another, you must also migrateall projects that have VMs running in that shared node group.
  • You cannot perform live migration between projects while using sharedsole-tenant node groups. For more information, seeManually live migrate VMs.

Pricing

VMs in shared node groups don't incur additional charges, and there are noadditional charges for sharing node groups. For more information aboutsole-tenant node pricing, seeSole-tenant node pricing.

Before you begin

• Before creating a sole-tenant node group,create a sole-tenant node template.
• Before provisioning VMs in a sole-tenant node,check your quota. Depending on the number and size of nodes that you reserve, you might need torequest additional quota.
• If you haven't already, set upauthentication. Authentication verifies your identity for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:

  Select the tab for how you plan to use the samples on this page:

  Console

  When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.

  gcloud

  1. Install the Google Cloud CLI. After installation,initialize the Google Cloud CLI by running the following command:

     gcloudinit

     If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

     Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.
  2. Set a default region and zone.

  REST

  To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.

  Install the Google Cloud CLI. After installation,initialize the Google Cloud CLI by running the following command:

  gcloudinit

  If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.

  For more information, seeAuthenticate for using REST in the Google Cloud authentication documentation.

Create a new node group and share it

To create a new node group and share it with other projects or with the entireorganization, use the Google Cloud console, gcloud CLI, orREST.

gcloud compute sole-tenancy node-groups createNODE_GROUP \    --zone=ZONE \    --node-template=NODE_TEMPLATE \    --target-size=SIZE \    --share-setting=SHARE_SETTING \    --share-with=PROJECTS

POST https://compute.googleapis.com/compute/v1/projects/PROJECT/zones/ZONE/nodeGroups{  ...  "name":NODE_GROUP,  "nodeTemplate":NODE_TEMPLATE,  "size":SIZE,  "shareSettings": {    "shareType":SHARE_TYPE,    "projectMap": {      string: {        "projectId":PROJECTS      },    }  }  ...}

Provision a sole-tenant VM in a shared node group

To provision a sole-tenant VM in a shared node group, use theGoogle Cloud console, gcloud CLI, orREST.

gcloud compute instances createVM_NAME \    --machine-type=MACHINE_TYPE \    --node-group=NODE_GROUP \    --node-project=NODE_PROJECT

gcloud compute instances createVM_NAME \    --machine-type=MACHINE_TYPE \    --node-affinity-file=NODE_AFFINITY_FILE

POST https://compute.googleapis.com/compute/v1/projects/PROJECT/zones/ZONE/instances{  ...  "name":VM_NAME,  "machineType":MACHINE_TYPE,  "scheduling": {    ...    "nodeAffinities": [      {        "key":KEY,        "operator":OPERATOR,        "values": [VALUE        ]      }    ],    ...  },  ...}

View the sharing settings of a node group

To view the sharing settings of a node group, use the Google Cloud console,gcloud CLI, or REST.

gcloud compute sole-tenancy node-groups describeNODE_GROUP

GET https://compute.googleapis.com/compute/v1/projects/PROJECT/zones/ZONE/nodeGroups

Share an existing node group

To share an existing node group with other projects or the entire organization,use the Google Cloud console, gcloud CLI, orREST.

gcloud compute sole-tenancy node-groups updateNODE_GROUP \    --zone=ZONE \    --share-setting=SHARE_SETTING \    --share-with=PROJECTS

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT/zones/ZONE/nodeGroups/NODE_GROUP{  "shareSettings": {    "shareType":SHARE_TYPE,    "projectMap": {      string: {        "projectId":PROJECTS      },    }  }}

Stop sharing a node group

To stop sharing a node group with other projects or the entire organization, usethe gcloud CLI or REST.

gcloud compute sole-tenancy node-groups updateNODE_GROUP \    --zone=ZONE \    --share-setting=local

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT/zones/ZONE/nodeGroups/NODE_GROUP{  "shareSettings": {    "shareType":LOCAL  }}

Delete a shared node group from the owning project

To delete a shared node group from the owning project, use theGoogle Cloud console, gcloud CLI, orREST. Before deleting a node group, stop all VMs that arerunning in the node group.

gcloud compute sole-tenancy node-groups deleteNODE_GROUP

DELETE https://compute.googleapis.com/compute/v1/projects/PROJECT/zones/ZONE/nodeGroups/NODE_GROUP