gcloud compute instances import - create Compute Engine virtual machine instances from virtual appliance in OVA/OVF format

gcloud compute instances importINSTANCE_NAME--source-uri=SOURCE_URI[--no-address][--async][--byol][--can-ip-forward][--cloudbuild-service-account=CLOUDBUILD_SERVICE_ACCOUNT][--compute-service-account=COMPUTE_SERVICE_ACCOUNT][--deletion-protection][--description=DESCRIPTION][--no-guest-environment][--guest-os-features=[GUEST_OS_FEATURE,…]][--hostname=HOSTNAME][--labels=[KEY=VALUE,…]][--log-location=LOG_LOCATION][--machine-type=MACHINE_TYPE][--network=NETWORK][--network-tier=NETWORK_TIER][--os=OS][--private-network-ip=PRIVATE_NETWORK_IP][--no-restart-on-failure][--subnet=SUBNET][--tags=TAG,[TAG,…]][--timeout=TIMEOUT; default="2h"][--zone=ZONE][--custom-cpu=CUSTOM_CPU--custom-memory=CUSTOM_MEMORY :--custom-extensions--custom-vm-type=CUSTOM_VM_TYPE][--node=NODE    |--node-affinity-file=PATH_TO_FILE    |--node-group=NODE_GROUP][--scopes=[SCOPE,…]    |--no-scopes][--service-account=SERVICE_ACCOUNT    |--no-service-account][GCLOUD_WIDE_FLAG …]

Importing OVF involves:

• Unpacking OVF package (if in OVA format) to Cloud Storage.
• Import disks from OVF to Compute Engine.
• Translate the boot disk to make it bootable in Compute Engine.
• Create a VM instance using OVF metadata and imported disks and boot it.

OVF import tool requires Cloud Build to be enabled. Seehttps://cloud.google.com/compute/docs/import/import-ovf-files#enable-cloud-buildVirtual machine instances, images and disks in Compute engine and files storedon Cloud Storage incur charges. Seehttps://cloud.google.com/compute/docs/images/importing-virtual-disks#resource_cleanup.

INSTANCE_NAME

Name of the instance to import. For details on valid instance names, refer tothe criteria documented under the field 'name' at:https://cloud.google.com/compute/docs/reference/rest/v1/instances

--source-uri=SOURCE_URI

Cloud Storage path to one of: OVF descriptor OVA file Directory with OVFpackage. For more information about Cloud Storage URIs, seehttps://cloud.google.com/storage/docs/request-endpoints#json-api.

--no-address

If provided, the instances are not assigned external IP addresses. To pullcontainer images, you must configure private Google access if using ContainerRegistry or configure Cloud NAT for instances to access container imagesdirectly. For more information, see:

• https://cloud.google.com/vpc/docs/configure-private-google-access
• https://cloud.google.com/nat/docs/using-nat

--async

Return immediately, without waiting for the operation in progress to complete.

--byol

Specifies that you want to import an image with an existing license. Importingan image with an existing license is known as bring your own license (BYOL).

--byol can be specified in any of the following ways:

+`--byol--os=rhel-8`:importsaRHEL8imagewithanexistinglicense.+`--os=rhel-8-byol`:importsaRHEL8imagewithanexistinglicense.+`--byol`:detectstheOScontainedonthedisk,andimportstheimagewithanexistinglicense.

For more information about BYOL, see:https://cloud.google.com/compute/docs/nodes/bringing-your-own-licenses

--can-ip-forward

If provided, allows the instances to send and receive packets with non-matchingdestination or source IP addresses.

--cloudbuild-service-account=CLOUDBUILD_SERVICE_ACCOUNT

Image import and export tools use Cloud Build to import and export images to andfrom your project. Cloud Build uses a specific service account to execute buildson your behalf. The Cloud Build service account generates an access token forother service accounts and it is also used for authentication when building theartifacts for the image import tool.

Use this flag to to specify a user-managed service account for image import andexport. If you don't specify this flag, Cloud Build runs using your project'sdefault Cloud Build service account. To set this option, specify the emailaddress of the desired user-managed service account. Note: You must specify the--logs-location flag when you set a user-managed service account.

At minimum, the specified user-managed service account needs to have thefollowing roles assigned:

• roles/compute.admin
• roles/iam.serviceAccountTokenCreator
• roles/iam.serviceAccountUser

--compute-service-account=COMPUTE_SERVICE_ACCOUNT

A temporary virtual machine instance is created in your project during instanceimport. Instance import tooling on this temporary instance must beauthenticated.

A Compute Engine service account is an identity attached to an instance. Itsaccess tokens can be accessed through the instance metadata server and can beused to authenticate instance import tooling on the instance.

To set this option, specify the email address corresponding to the requiredCompute Engine service account. If not provided, the instance import on thetemporary instance uses the project's default Compute Engine service account.

At a minimum, you need to grant the following roles to the specified Cloud Buildservice account:

• roles/compute.storageAdmin
• roles/storage.objectViewer

--deletion-protection

Enables deletion protection for the instance.

--description=DESCRIPTION

Specifies a textual description of the VM instances.

--guest-environment

The guest environment will be installed on the instance. Enabled by default, use--no-guest-environment to disable.

--guest-os-features=[GUEST_OS_FEATURE,…]

Enables one or more features for VM instances that use the image for their bootdisks. See the descriptions of supported features at:https://cloud.google.com/compute/docs/images/create-delete-deprecate-private-images#guest-os-features.GUEST_OS_FEATURE must be (only one value is supported):UEFI_COMPATIBLE.

--hostname=HOSTNAME

Specify the hostname of the VM instance to be imported. The specified hostnamemust be RFC1035 compliant. If hostname is not specified, the default hostname is[INSTANCE_NAME].c.[PROJECT_ID].internal when using the global DNS, and[INSTANCE_NAME].[ZONE].c.[PROJECT_ID].internal when using zonal DNS.

--labels=[KEY=VALUE,…]

List of label KEY=VALUE pairs to add.

Keys must start with a lowercase character and contain only hyphens(-), underscores (_), lowercase characters, andnumbers. Values must contain only hyphens (-), underscores(_), lowercase characters, and numbers.

--log-location=LOG_LOCATION

Directory in Cloud Storage to hold build logs. If not set,gs://<project num>.cloudbuild-logs.googleusercontent.com/ iscreated and used.

--machine-type=MACHINE_TYPE

Specifies the machine type used for the instances. To get a list of availablemachine types, run 'gcloud compute machine-types list'. If unspecified, thedefault type is n1-standard-1.

--network=NETWORK

Specifies the network that the VM instances are a part of. If--subnet is also specified, subnet must be a subnetwork of thenetwork specified by this--network flag. If neither is specified,the default network is used.

--network-tier=NETWORK_TIER

Specifies the network tier that will be used to configure the instance.NETWORK_TIER must be one of:PREMIUM,STANDARD. The default value isPREMIUM.

--os=OS

Specifies the OS of the image being imported.OS must beone of:centos-7,centos-stream-8,centos-stream-9,debian-10,debian-11,debian-8,debian-9,opensuse-15,rhel-6,rhel-6-byol,rhel-7,rhel-7-byol,rhel-8,rhel-8-byol,rhel-9,rhel-9-byol,rocky-8,rocky-9,sles-12,sles-12-byol,sles-15,sles-15-byol,sles-sap-12,sles-sap-12-byol,sles-sap-15,sles-sap-15-byol,ubuntu-1404,ubuntu-1604,ubuntu-1804,ubuntu-2004,ubuntu-2204,windows-10-x64-byol,windows-10-x86-byol,windows-11-x64-byol,windows-2008r2,windows-2008r2-byol,windows-2012,windows-2012-byol,windows-2012r2,windows-2012r2-byol,windows-2016,windows-2016-byol,windows-2019,windows-2019-byol,windows-2022,windows-2022-byol,windows-7-x64-byol,windows-7-x86-byol,windows-8-x64-byol,windows-8-x86-byol.

--private-network-ip=PRIVATE_NETWORK_IP

Specifies the RFC1918 IP to assign to the instance. The IP should be in thesubnet or legacy network IP range.

--restart-on-failure

The instances will be restarted if they are terminated by Compute Engine. Thisdoes not affect terminations performed by the user. Enabled by default, use--no-restart-on-failure to disable.

--subnet=SUBNET

Specifies the subnet that the VM instances are a part of. If--network is also specified, subnet must be a subnetwork of thenetwork specified by the--network flag.

--tags=TAG,[TAG,…]

Specifies a list of tags to apply to the instance. These tags allow networkfirewall rules and routes to be applied to specified VM instances. Seegcloud computefirewall-rules create(1) for more details.

To read more about configuring network tags, read this guide:https://cloud.google.com/vpc/docs/add-remove-network-tags

To list instances with their respective status and tags, run:

gcloudcomputeinstanceslist--format='table(name,status,tags.list())'

To list instances tagged with a specific tag,tag1, run:

gcloudcomputeinstanceslist--filter='tags:tag1'

--timeout=TIMEOUT; default="2h"

Maximum time an import can last before it fails as "TIMEOUT". For example, ifyou specify2h, the process fails after 2 hours. See $gcloud topic datetimes forinformation about duration formats.

This timeout option has a maximum value of 24 hours.

--zone=ZONE

Zone of the instance to import. If not specified and thecompute/zone property isn't set, you mightbe prompted to select a zone (interactive mode only).

To avoid prompting when this flag is omitted, you can set thecompute/zone property:

gcloudconfigsetcompute/zoneZONE

A list of zones can be fetched by running:

gcloudcomputezoneslist

To unset the property, run:

gcloudconfigunsetcompute/zone

Alternatively, the zone can be stored in the environment variableCLOUDSDK_COMPUTE_ZONE.

Custom machine type extensions.

--custom-cpu=CUSTOM_CPU

A whole number value specifying the number of cores that are needed in thecustom machine type.

For some machine types, shared-core values can also be used. For example, for E2machine types, you can specifymicro,small, ormedium.

This flag argument must be specified if any of the other arguments in this groupare specified.

--custom-memory=CUSTOM_MEMORY

A whole number value indicating how much memory is desired in the custom machinetype. A size unit should be provided (eg. 3072MB or 9GB) - if no units arespecified, GB is assumed.

This flag argument must be specified if any of the other arguments in this groupare specified.

--custom-extensions

Use the extended custom machine type.

--custom-vm-type=CUSTOM_VM_TYPE

Specifies a custom machine type. The default isn1. For moreinformation about custom machine types, see:https://cloud.google.com/compute/docs/general-purpose-machines#custom_machine_types

Sole Tenancy.

At most one of these can be specified:

--node=NODE

The name of the node to schedule this instance on.

--node-affinity-file=PATH_TO_FILE

The JSON/YAML file containing the configuration of desired nodes onto which thisinstance could be scheduled. These rules filter the nodes according to theirnode affinity labels. A node's affinity labels come from the node template ofthe group the node is in.

The file should contain a list of a JSON/YAML objects. For an example, seehttps://cloud.google.com/compute/docs/nodes/provisioning-sole-tenant-vms#configure_node_affinity_labels.The following list describes the fields:

key

Corresponds to the node affinity label keys of the Node resource.

operator

Specifies the node selection type. Must be one of:IN: RequiresCompute Engine to seek for matched nodes.NOT_IN: Requires ComputeEngine to avoid certain nodes.

values

Optional. A list of values which correspond to the node affinity label values ofthe Node resource.

Use a full or relative path to a local file containing the value ofnode_affinity_file.

--node-group=NODE_GROUP

The name of the node group to schedule this instance on.

At most one of these can be specified:

--scopes=[SCOPE,…]

If not provided, the instance will be assigned the default scopes, describedbelow. However, if neither--scopes nor--no-scopesare specified and the project has no default service account, then the VMinstance is imported with no scopes. Note that the level of access that aservice account has is determined by a combination of access scopes and IAMroles so you must configure both access scopes and IAM roles for the serviceaccount to work properly.

SCOPE can be either the full URI of the scope or an alias.Defaultscopes are assigned to all instances. Available aliases are:

Alias	URI
bigquery	https://www.googleapis.com/auth/bigquery
cloud-platform	https://www.googleapis.com/auth/cloud-platform
cloud-source-repos	https://www.googleapis.com/auth/source.full_control
cloud-source-repos-ro	https://www.googleapis.com/auth/source.read_only
compute-ro	https://www.googleapis.com/auth/compute.readonly
compute-rw	https://www.googleapis.com/auth/compute
datastore	https://www.googleapis.com/auth/datastore
default	https://www.googleapis.com/auth/devstorage.read_only
	https://www.googleapis.com/auth/logging.write
	https://www.googleapis.com/auth/monitoring.write
	https://www.googleapis.com/auth/pubsub
	https://www.googleapis.com/auth/service.management.readonly
	https://www.googleapis.com/auth/servicecontrol
	https://www.googleapis.com/auth/trace.append
gke-default	https://www.googleapis.com/auth/devstorage.read_only
	https://www.googleapis.com/auth/logging.write
	https://www.googleapis.com/auth/monitoring
	https://www.googleapis.com/auth/service.management.readonly
	https://www.googleapis.com/auth/servicecontrol
	https://www.googleapis.com/auth/trace.append
logging-write	https://www.googleapis.com/auth/logging.write
monitoring	https://www.googleapis.com/auth/monitoring
monitoring-read	https://www.googleapis.com/auth/monitoring.read
monitoring-write	https://www.googleapis.com/auth/monitoring.write
pubsub	https://www.googleapis.com/auth/pubsub
service-control	https://www.googleapis.com/auth/servicecontrol
service-management	https://www.googleapis.com/auth/service.management.readonly
sql (deprecated)	https://www.googleapis.com/auth/sqlservice
sql-admin	https://www.googleapis.com/auth/sqlservice.admin
storage-full	https://www.googleapis.com/auth/devstorage.full_control
storage-ro	https://www.googleapis.com/auth/devstorage.read_only
storage-rw	https://www.googleapis.com/auth/devstorage.read_write
taskqueue	https://www.googleapis.com/auth/taskqueue
trace	https://www.googleapis.com/auth/trace.append
userinfo-email	https://www.googleapis.com/auth/userinfo.email

DEPRECATION WARNING:https://www.googleapis.com/auth/sqlserviceaccount scope andsql alias do not provide SQL instance managementcapabilities and have been deprecated. Please, usehttps://www.googleapis.com/auth/sqlservice.adminorsql-admin to manage your Google SQL Service instances.

--no-scopes

Import instance without scopes

At most one of these can be specified:

--service-account=SERVICE_ACCOUNT

A service account is an identity attached to the instance. Its access tokens canbe accessed through the instance metadata server and are used to authenticateapplications on the instance. The account can be set using an email addresscorresponding to the required service account.

If not provided, the instance will use the project's default service account.

--no-service-account

Import instance without service account

Run$gcloud help for details.