From 371882928434f3acc50ecca6ec4f314dceaacedd Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Wed, 10 Jun 2026 02:01:52 -0700 Subject: [PATCH] dstack-cloud: add no_public_ip (--no-address) for network-isolated VMs GcpConfig gains a no_public_ip flag; when set, 'gcloud compute instances create' is given --no-address so the VM has no ephemeral external IP. With no Cloud NAT on the subnet this also drops internet egress; the VM is still reachable over IAP TCP forwarding (SSH, and the on-prem launcher's courier, go over IAP either way). The on-prem operator tooling already requests this (no_public_ip in the deploy sys-config), but upstream dstack-cloud silently ignored it and created a public IP. --- scripts/bin/dstack-cloud | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/scripts/bin/dstack-cloud b/scripts/bin/dstack-cloud index 7b3b028b..1e502e76 100755 --- a/scripts/bin/dstack-cloud +++ b/scripts/bin/dstack-cloud @@ -209,6 +209,7 @@ class GcpConfig: network: str = "default" subnet: str = "" private_ip: str = "" # static internal IP to bind (--private-network-ip) + no_public_ip: bool = False # network-isolated: no external IP (--no-address); reach via IAP # Identity settings service_account: str = "" @@ -250,6 +251,7 @@ class GcpConfig: "network": "default", "subnet": "", "private_ip": "", + "no_public_ip": False, "service_account": "", "scopes": [], "tags": [], @@ -1458,6 +1460,12 @@ class CloudDeploymentManager: if not config.subnet: create_args.append("--subnet=default") create_args.append(f"--private-network-ip={config.private_ip}") + if config.no_public_ip: + # Network-isolated CVM: no ephemeral external IP. With no Cloud NAT on + # the subnet, this also means no internet egress. Reaching the VM still + # works over IAP TCP forwarding (ingress via Google's edge to the + # internal IP), so SSH / the on-prem courier are unaffected. + create_args.append("--no-address") if config.service_account: create_args.append(f"--service-account={config.service_account}") if config.scopes: