Remove GCP Virtual Machine External IP Via Nutanix Calm

A few weeks ago I was in a project that used Nutanix Calm to deploy virtual machines (VMs) on-premises as well as in Google Cloud Platform (GCP). Since the customer had a direct network connection to GCP they wanted to remove the VM external IP address to make sure their VMs can only connect to the internet and be reachable via their LAN.

Yes you can control access to GCP networks (and their VMs) via GCP firewall rules but you need to respect a customer technical requirement, right…..

There are multiple ways to achieve this and I decided to use the option of allowing the deployed VM to run gcloud commands.

There are two blog post sections.

By default when you deploy a VM in GCP the VM is not allowed to perform cloud commands and make configuration changes. During VM deployment, or before whenever you want to make any changes, you need to change the “Cloud API access scopes”:

  •  from “Allow default access”
  • to “Allow full access to all Cloud APIs” during deployment


There are two things you need to do in your Calm Blueprint. Just click the Blueprint and:

  1. Change Scopes
    1. from Default Access
    2. to Full Access
  2. Define the gcloud commands during the VM deployment. In my case I decided to use the Blueprint Service Create section to define the commands.
    1. Create a Task and define
      1. Task Name – In my case I used gcpremoveextip
      2. Type – Execute
      3. Script Type – Shell
      4. Credential – whatever you use to access the deployed VM
      5. Script – The script is just two cloud commands so very basic and they are executed from within the VM as mentioned earlier.

This is the completed Task

For the purpose of removing the GCP VM External IP address I added the below Task, the other Tasks are for different purposes.

here you can copy the code.

# Task to remove the GCP VM external IP address
# Find the GCP zone where the VM is deployed
gcpzone=`gcloud compute instances list | grep @@{vm_name}@@  | awk -F " " '{print $2}'`
sleep 4
# Remvove the VMs External IP Address
gcloud compute instances delete-access-config @@{vm_name}@@  --zone=$gcpzone

GCP VM Deployment & Verification

So let’s deploy a VM and make sure the VM External IP is removed. You just have to perform steps 1 and X below.

  1. Launch the Blueprint and create a Calm Application, just provide:
    1. Name of the Application – app-calm-gcp-vm01
    2. vm_name – calm-gcp-vm01 (the vm_name is a Calm Blueprint Application Profile Variable that is defined during Runtime.
  2. Monitor the GCP Console to see when the VM is deployed to verify that the VM first gets an External IP address.
  3. Verify connection to the newly deployed VM via the VM External IP address. In my case I tested via SSH
  4. Verify the Calm Application launch was successful. Also check the specific task which should remove the VM External IP address and if you click the below figure you’ll see that the cloud command output looks good, easy “Updated” which is expected.
  5. Verify the GCP VM External IP address is removed via GCP Console

That easy:)

Note: In a future version of Nutanix Calm there will be en option during VM deployment to not request an External IP Address. This script provided can be used either during VM deployment or as a separate Day 2 Blueprint.