Create a Vertex AI Workbench instance
This page shows you how to create a Vertex AI Workbench instance by usingthe Google Cloud console or the Google Cloud CLI. While creating your instance,you can configure your instance's hardware, encryption type, network,and other details.
Before you begin
Before you create a Vertex AI Workbench instance, you must completethe following steps:
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
- Create a project: To create a project, you need the Project Creator role (
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission.Learn how to grant roles.
Verify that billing is enabled for your Google Cloud project.
Enable the Notebooks API.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission.Learn how to grant roles.In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
- Create a project: To create a project, you need the Project Creator role (
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission.Learn how to grant roles.
Verify that billing is enabled for your Google Cloud project.
Enable the Notebooks API.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission.Learn how to grant roles.
Required roles
To get the permissions that you need to create and manage a Vertex AI Workbench instance, ask your administrator to grant you theNotebooks Admin (roles/notebooks.admin) IAM role on the project. For more information about granting roles, seeManage access to projects, folders, and organizations.
You might also be able to get the required permissions throughcustom roles or otherpredefined roles.
Create an instance
You can create a Vertex AI Workbench instanceby using the Google Cloud console, the gcloud CLI,or Terraform:
Console
In the Google Cloud console, go to theInstances page.
Click Create new.
In theNew instance dialog, clickAdvanced options.
In theCreate instance dialog,in theDetails section,provide the following information for your new instance:
- Name: Provide a name for your new instance. The namemust start with a letter followed by up to 62 lowercase letters,numbers, or hyphens (-), and cannot end with a hyphen.
- Region andZone: Select a region and zone forthe new instance. For best network performance,select the region that is geographically closest to you.See the availableVertex AI Workbenchlocations.
- Labels: Optional. Provide custom key-value labels for theinstance.
- Network tags: Optional. Providenetwork tagsfor the instance.
In theEnvironment section, provide the following:
- JupyterLab version: Select a JupyterLab version.
- Version: Use the latest version or a previous versionof Vertex AI Workbench instances.
- Post-startup script: Optional. ClickBrowse toselect a script to run one time, after the instance is created.The path must be a URL or Cloud Storage path,for example:
gs://PATH_TO_FILE/FILE_NAME. - Metadata: Optional. Provide custom metadata keys for theinstance.
In theMachine type section, provide the following:
- Machine type: Select the number of CPUs and amount of RAM for yournew instance. Vertex AI Workbench provides monthly costestimates for each machine type that you select.
GPU: Optional. If you want GPUs, select theGPU typeandNumber of GPUs for your new instance. The accelerator typethat you want must be available in your instance'szone. To learn about accelerator availability by zone, seeGPU regions and zonesavailability.For information about the different GPUs, seeGPUs on Compute Engine.
SelectInstall NVIDIA GPU driver automatically for me.
Note: You can modify the machine type and GPU configuration foryour instance after it is created.For more information, seeChange machine type and configure GPUs ofa Vertex AI Workbench instance.Shielded VM: Optional. Select or clear the following checkboxes:
- Secure Boot
- Virtual Trusted Platform Module (vTPM)
- Integrity monitoring
Idle shutdown: Optional.
To change the number of minutes before shutdown,in theTime of inactivity before shutdown (Minutes) field,change the value to an integer from 10 through 1440.
To turn off idle shutdown, clearEnable Idle Shutdown.
In theDisks section, provide the following:
Disks: Optional. To change the default data disk settings,select aData disk type andData disk size in GB.For more information about disk types, seeStorage options.
Delete to trash: Optional. Select this checkbox to usethe operating system's default trash behavior, If you usethe default trash behavior, files deleted by using the JupyterLabuser interface are recoverable but these deleted filesdo use disk space.
Encryption: SelectGoogle-managed encryption key orCustomer-managed encryption key (CMEK).To use CMEK, seeCustomer-managed encryption keys.
In theNetworking section, provide the following:
Networking: Adjust the network options to use a network inyour current project or aShared VPC network froma host project, if one is configured. If you are using aShared VPCin the host project, you must also grant theCompute Network User role(
roles/compute.networkUser) to theNotebooks ServiceAgentfrom the service project.In theNetwork field, select the network that you want. Youcan select a VPC network, as long as the networkhasPrivate Google Accessenabled or can access the internet. For more information,seenetwork configuration options.
In theSubnetwork field, select the subnetwork that you want.
To turn off the external IP address,clear theAssign external IP address checkbox.
Note: If you disableAssign external IP address, make sureto add DNS entries from theNetwork configuration optionssection.To turn off proxy access, clear theAllow proxy access checkbox.
Note: If you turn off proxy access, you mustuse SSH to connectto your instance's JupyterLab interface.
In theIAM and security section, provide the following:
IAM and security: To grant access to the instance'sJupyterLab interface, complete one of the following steps:
To grant access to JupyterLab through a service account,selectService account.
Caution: After you create the instance, you can't change the specified service account, either directly or by modifying the underlying Compute Engine VM. To use a different service account, you must create a new instance specifying the service account that you want.To use the default Compute Engine service account,selectUse default Compute Engine service account.
To use a custom service account, clearUsedefault Compute Engine service account, and then,in theService account email field, enteryour custom service account email address.
To grant a single user access to the JupyterLab interface,do the following:
SelectSingle user, and then,in theUser email field,enter the user account that you want to grant access. If thespecified user is not the creator of the instance, you must grantthe specified user theService Account Userrole(
roles/iam.serviceAccountUser) on theinstance's service account.Your instance uses a service account to interact withGoogle Cloud services and APIs.
To use thedefault Compute Engine service account,selectUse default Compute Engine service account.
To use a custom service account, clearUsedefault Compute Engine service account, and then,in theService account email field, enteryour custom service account email address.
To learn more about granting access,seeManage access.
Security options: Select or clear the following checkboxes:
- Root access to the instance
- nbconvert
- File downloading
- Terminal access
In theSystem health section, provide the following:
Environment upgrade and system health:To automatically upgrade to newly released environment versions,selectEnvironment auto-upgrade and complete theUpgrade schedule.
InReporting, select or clear the following checkboxes:
- Report system health
- Report custom metrics to Cloud Monitoring
- Install Cloud Monitoring
- Report DNS status for required Google domains
ClickCreate.
Vertex AI Workbench creates an instance and automatically starts it.When the instance is ready to use, Vertex AI Workbenchactivates anOpen JupyterLab link.
gcloud
Before using any of the command data below, make the following replacements:
INSTANCE_NAME: the name of your Vertex AI Workbench instance; must start with a letter followed by up to 62 lowercase letters, numbers, or hyphens (-), and cannot end with a hyphenPROJECT_ID: your project IDLOCATION: the zone where you want your instance to be locatedVM_IMAGE_PROJECT: the ID of the Google Cloud project that VM image belongs to; the default Google Cloud project ID for supported images iscloud-notebooks-managedVM_IMAGE_NAME: the image name; to find the image name of a specific version, seeFind the specific versionMACHINE_TYPE: themachine type of your instance's VM
To enable the JupyterLab 4 preview, useMETADATA: custom metadata to apply to this instance; for example, to specify a post-startup-script, you can use thepost-startup-scriptmetadata tag, in the format:--metadata=post-startup-script=gs://BUCKET_NAME/hello.sh--metadata=enable-jupyterlab4-preview=true. For more information, seeJupyterLab 4 preview.
Execute the following command:
Linux, macOS, or Cloud Shell
Note: Ensure you have initialized the Google Cloud CLI with authentication and a project by running eithergcloud init; orgcloud auth login andgcloud config set project.gcloudworkbenchinstancescreateINSTANCE_NAME\--project=PROJECT_ID\--location=LOCATION\--vm-image-project=VM_IMAGE_PROJECT\--vm-image-name=VM_IMAGE_NAME\--machine-type=MACHINE_TYPE\--metadata=METADATA
Windows (PowerShell)
Note: Ensure you have initialized the Google Cloud CLI with authentication and a project by running eithergcloud init; orgcloud auth login andgcloud config set project.gcloudworkbenchinstancescreateINSTANCE_NAME`--project=PROJECT_ID`--location=LOCATION`--vm-image-project=VM_IMAGE_PROJECT`--vm-image-name=VM_IMAGE_NAME`--machine-type=MACHINE_TYPE`--metadata=METADATA
Windows (cmd.exe)
Note: Ensure you have initialized the Google Cloud CLI with authentication and a project by running eithergcloud init; orgcloud auth login andgcloud config set project.gcloudworkbenchinstancescreateINSTANCE_NAME^--project=PROJECT_ID^--location=LOCATION^--vm-image-project=VM_IMAGE_PROJECT^--vm-image-name=VM_IMAGE_NAME^--machine-type=MACHINE_TYPE^--metadata=METADATA
For more information about the command for creating aninstance from the command line, see thegcloud CLIdocumentation.
Vertex AI Workbench creates an instance and automatically starts it.When the instance is ready to use, Vertex AI Workbenchactivates anOpen JupyterLab link in the Google Cloud console.
Terraform
The following sample uses thegoogle_workbench_instanceTerraform resource to createa Vertex AI Workbench instancenamedworkbench-instance-example.
To learn how to apply or remove a Terraform configuration, seeBasic Terraform commands.
resource "google_workbench_instance" "default" { name = "workbench-instance-example" location = "us-central1-a" gce_setup { machine_type = "n1-standard-1" accelerator_configs { type = "NVIDIA_TESLA_T4" core_count = 1 } vm_image { project = "cloud-notebooks-managed" family = "workbench-instances" } }}Change the version of JupyterLab on an existing instance
This section describes how to change the JupyterLab version on your instance byusing the Google Cloud console or the gcloud CLI.
Console
To change the JupyterLab version on an existing instance,do the following:
In the Google Cloud console, go to theInstances page.
Click the name of your instance to open theInstance details page.
On theSystem tab, do one of the following:
To enable JupyterLab 3, clear theEnable JupyterLab 4 checkbox.
To enable JupyterLab 4, leave theEnable JupyterLab 4 checkbox selected.
ClickSubmit.
To restart your instance, select the instance and click Start.
gcloud
You can change the JupyterLab version on an existing instance by usingthe following command:
gcloudworkbenchinstancesupdateINSTANCE_NAME\--project="PROJECT_ID"\--location="LOCATION"\--metadata=enable-jupyterlab4=ENABLEMENT_BOOLEAN
Replace the following:
PROJECT_ID: your project IDLOCATION: the zone where you want your instance to be locatedINSTANCE_NAME: the name of your Vertex AI Workbench instanceENABLEMENT_BOOLEAN: use one of the following:false: changes to JupyterLab 3.true: changes to JupyterLab 4. JupyterLab 4 is enabled, by default.
Limitation of JupyterLab 4
When scheduling a notebook run in JupyterLab 4, Vertex AI Workbench storesa copy of the notebook in its current state in Cloud Storage, and then runsthis copy of the notebook according to the schedule. If you edit the originalnotebook, you must create a new schedule to run the updated version of thenotebook.
Network configuration options
A Vertex AI Workbench instance must access service endpointsthat are outside your VPC network.
You can provide this access in one of the following ways:
Assign an external IP address tothe instance. This is done by default when you createa new instance. Make sure yourenvironment meets therequirements for accessing Google APIs andservices.
Connect the instance to a subnet wherePrivate Google Accessis enabled.Make sure your environment meets therequirements forPrivate Google Access.
If you use theprivate.googleapis.com orrestricted.googleapis.com VIP toprovide access to the service endpoints,add DNS entries for each of the required serviceendpoints:
notebooks.googleapis.com*.notebooks.cloud.google.com*.notebooks.googleusercontent.com*.kernels.googleusercontent.com
For an instance withthird party credentials, add a DNS entry for the following:
*.byoid.googleusercontent.com
Network tags
Your new Vertex AI Workbench instance automatically has thedeeplearning-vm andnotebook-instance network tagsassigned.
These tags let you manage network access to and fromyour Vertex AI Workbench instance by referencing the tags in yourVPC networking firewall rules. For more information aboutnetwork tags, seeAdd network tags.
To view the network tags for a Vertex AI Workbench instance,do the following:
In the Google Cloud console, go to theVM instances page.
Click the name of the instance.
In theNetworking section, findNetwork tags.
Troubleshooting
If you encounter a problem when you create an instance, seeTroubleshootingVertex AI Workbenchfor help with common issues.
What's next
- To use a notebook to help you get started using Vertex AI and other Google Cloud services, seeVertex AI notebook tutorials.
- Create an instance with Confidential Computing enabled.
- To check on the health status of your Vertex AI Workbench instance, seeMonitor health status.
- For a Terraform solution for simplified Vertex AI networking setup, see Simplified Cloud Networking Configuration Solutions.
- You can create a Vertex AI Workbench instance using a private IP. For a Terraform solution, seeWorkbench.
- To learn more about granting access, seeManage access.
- To use CMEK, seeCustomer-managed encryption keys.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.