How to create a virtual machine on Google Compute Engine, including the different methods and what each configuration choice means.
Ways to Create a VM
| Method | Best For |
|---|---|
| Google Cloud Console | Learning, one-off VMs, visual exploration of options |
| gcloud CLI | Scripting, quick launches, automation from your terminal |
| Terraform | Production infrastructure, version-controlled IaC, team collaboration |
| REST API | Programmatic control, integration with custom tools |
Tip: Start with the Console to understand the options, then move to gcloud CLI or Terraform for repeatable deployments.
Configuration Choices
Before creating a VM, you need to make several decisions:
| Choice | What to Decide | Default |
|---|---|---|
| Machine type | vCPU count and memory. See Machine Types and Images for details. | e2-medium |
| Boot disk image | Operating system and version. See Images for available options. | Debian 12 (latest) |
| Region and zone | Where the VM runs. See Regions and Zones for guidance. | us-central1-a |
| Network | Which VPC and subnet. New projects get a default VPC. | default VPC |
| Firewall rules | What traffic is allowed in/out. The default network includes rules for internal traffic, SSH, RDP, and ICMP. HTTP/HTTPS must be explicitly allowed. | Default network rules |
| Service account | Identity the VM uses to call GCP APIs. The Compute Engine default service account is attached by default, but you can choose a custom service account or no service account. | Compute Engine default service account |
| External IP | Whether the VM gets a public IP address. Direct internet SSH needs one, but IAP lets you SSH to private VMs without public IPs. | Ephemeral external IP |
| Startup script | Commands to run when the VM boots. Useful for installing software automatically. | None |
Quickstart: Google Cloud Console
- Go to Navigation menu → Compute Engine → VM instances
- Click Create Instance
- Set Name (e.g.,
my-first-vm) - Choose Region and zone (e.g.,
us-central1/us-central1-a) - Choose Machine type (start with
e2-microfor the free tier, ore2-mediumfor general use) - Under Boot disk, click Change to pick your OS image (Debian, Ubuntu, etc.)
- Under Firewall, check Allow HTTP traffic if you plan to run a web server
- Click Create
The VM takes about 30 seconds to start. You’ll see it listed with its external IP.
Tip: If this is your first VM, the Compute Engine API needs to be enabled. The Console will prompt you to enable it automatically.
Quickstart: gcloud CLI
Basic VM (defaults)
gcloud compute instances create my-first-vm \
--zone=us-central1-a \
--machine-type=e2-microWith specific image and machine type
gcloud compute instances create my-web-server \
--zone=us-central1-a \
--machine-type=e2-medium \
--image-family=debian-12 \
--image-project=debian-cloud \
--tags=http-server \
--metadata=startup-script='#!/bin/bash
apt-get update
apt-get install -y nginx'Spot VM (up to 91% cheaper)
gcloud compute instances create spot-vm \
--zone=us-central1-a \
--machine-type=e2-medium \
--provisioning-model=SPOT \
--instance-termination-action=STOPNote: Spot VMs can be reclaimed by Google with a 30-second warning via metadata. Use
instance-termination-actionto control what happens (STOP by default, or DELETE).
Quickstart: Terraform
resource "google_compute_instance" "my_vm" {
name = "my-first-vm"
machine_type = "e2-medium"
zone = "us-central1-a"
boot_disk {
initialize_params {
image = "debian-cloud/debian-12"
}
}
network_interface {
network = "default"
access_config {
// Ephemeral external IP
}
}
metadata = {
startup-script = "apt-get update && apt-get install -y nginx"
}
}Tip: Terraform is the recommended approach for any infrastructure you’ll maintain long-term. It tracks state, supports drift detection, and makes changes reproducible.
After Creating Your VM
Connecting via SSH
| Method | Command / Steps |
|---|---|
| Console | Click SSH button next to the VM in the Console. Opens a browser-based terminal. |
| gcloud CLI | gcloud compute ssh my-first-vm --zone=us-central1-a |
| OS Login | Use your Google identity for SSH access. Enable via metadata: enable-oslogin=TRUE |
Managing the VM
# Stop the VM (stops billing for compute, disks still charged)
gcloud compute instances stop my-first-vm --zone=us-central1-a
# Start it again
gcloud compute instances start my-first-vm --zone=us-central1-a
# Delete the VM and its disk
gcloud compute instances delete my-first-vm --zone=us-central1-aWarning: Stopping a VM stops compute charges but you still pay for the persistent disk. To stop all charges, delete the VM (which deletes the disk by default) or delete the disk separately.
Security Defaults for a First VM
| Area | Safer Beginner Default | Why It Matters |
|---|---|---|
| SSH access | Avoid opening SSH broadly to 0.0.0.0/0. Use OS Login, IAP, or a restricted source IP range. | Public SSH exposure is one of the easiest ways to create unnecessary attack surface. |
| Web traffic | Only allow HTTP/HTTPS if the VM is meant to serve a website. | Firewall rules should match the workload, not the tutorial habit. |
| Service account | Use the least-privilege service account your VM needs. Avoid broad editor-style permissions. | Anything running on the VM can use that identity to call Google Cloud APIs. |
| External IP | Skip the external IP for private workloads and connect through IAP or a bastion pattern. | Public IPs make access simpler but increase exposure. |
| Billing cleanup | Delete unused VMs, retained disks, and reserved static IPs. | Stopped VMs stop compute billing, but disks and some IP resources can continue billing. |
Tip: For learning, a public
e2-microVM is fine. For real environments, start with private access, least-privilege identity, explicit firewall rules, and budget alerts.
Common First-Time Mistakes
| Mistake | What Happens | How to Avoid |
|---|---|---|
| Forgetting firewall rules | Can’t reach your web server from the internet | Add a firewall rule allowing HTTP (port 80) or use the http-server tag |
| Leaving VMs running | Ongoing charges even when you’re not using them | Stop or delete VMs when done. Set up budget alerts. |
| Wrong machine type | Overpaying for resources you don’t need | Start with e2-micro (free tier) or e2-medium. Resize later. |
| Not setting budget alerts | Unexpected bill at the end of the month | Set up a billing budget alert immediately after signup. |
| Picking a non-US region for free tier | Free tier e2-micro only works in us-west1, us-central1, us-east1 | Stick to these three regions for free tier usage. |
| Attaching a broad service account | Code on the VM can call more Google Cloud APIs than intended | Use a custom least-privilege service account for non-learning workloads. |
TL;DR
- Four ways to create a VM: Console (visual), gcloud CLI (scripting), Terraform (IaC), REST API (programmatic).
- Key decisions: machine type, boot disk image, region/zone, network/firewall, service account.
- Console is best for learning. Terraform is best for production. gcloud CLI bridges both.
- After creating a VM, connect via SSH (Console button or
gcloud compute ssh). Stop or delete VMs when not in use to avoid charges. - For production-style access, prefer OS Login and IAP/private connectivity over broad public SSH.
- The most common beginner mistake is forgetting firewall rules. If you can’t reach your VM, check the firewall first.
Resources
Compute Engine Quickstart Official guide to creating a Linux VM on GCE.
gcloud compute instances create Full reference for all gcloud VM creation flags.
Terraform google_compute_instance Terraform provider documentation for GCE instances.
SSH with IAP Connect to VMs without exposing SSH through a public IP.
Service Accounts for Compute Engine How VM identities work and how to choose safer permissions.
Google Compute Engine Overview of GCE features and architecture.
Machine Types and Images Detailed reference for choosing machine types and boot images.