Creating an Instance

Create a bare metal or virtual machine (VM) compute instance by using Compute service.

Tip

If this is your first time creating an instance, consider following the Getting Started tutorial for a guided workflow through the steps required to create an instance.

Instance IP addresses

When you create an instance, the instance is automatically attached to a virtual network interface card (VNIC) in the cloud network's subnet and given a private IP address from the subnet's CIDR. You can let the system assign the IP address, or you can specify an address. The private IP address lets instances within the VCN communicate with each other. If you've set up the cloud network for DNS, instances can instead use fully qualified domain names (FQDNs).

If the subnet is public, you can optionally assign the instance a public IP address. A public IP address is required to communicate with the instance over the internet, and to establish a Secure Shell (SSH) or Remote Desktop Protocol (RDP) connection to the instance from outside the cloud network. You can also create SSH or RDP connections to instances without public IP addresses by using a bastion.

Capacity availability

To determine whether capacity is available for a specific shape before you create an instance, use the CreateComputeCapacityReport operation.

Note

Partner images and pre-built Oracle enterprise images are not available in Government Cloud realms.
Important

When a compartment is part of a security zone, you must follow security zone policies when creating a compute instance. This means failing to implement security zone policies might prevent instance creation in that compartment. See security zone policies for a detailed list of default security zone policies.

For permissions, see Required IAM Policy for Working with Instances.

Before You Begin

Before you create an instance, you need these things:

  • (Optional) An existing VCN to create the instance in. Alternatively, you can create a new VCN while you create the instance. For information about setting up VCNs, see Networking.
  • Public SSH key (Linux instances): If you want to use your own SSH key to connect to the instance using SSH, you need the public key from the SSH key pair that you plan to use. The key must be in OpenSSH format. For more information, see Managing Key Pairs on Linux Instances.
  • VCN security rule to enable RDP access (Windows instances): A VCN security rule that enables RDP access so that you can connect to your instance. Specifically, you need a stateful ingress rule for TCP traffic on destination port 3389 from source 0.0.0.0/0 and any source port. For more information, see Security Rules.

    You can implement this security rule either in a network security group (NSG) that you add this Windows instance to or, in a security list that's used by the instance's subnet.

    For instructions for either method, see: Enabling RDP Access to a Windows Instance.

  • (Optional) To create the instance by using a host capacity type other than on-demand capacity, prepare the capacity as follows:

    • To create an instance and have it count against a capacity reservation, you must have a capacity reservation in the same availability domain as the instance.
    • To place an instance on a dedicated virtual machine host, you must have a dedicated virtual machine host in the same availability domain and fault domain as the instance.

    The capacity types are mutually exclusive.

(Optional) Enabling RDP Access to a Windows Instance

Create a VCN security rule that enables Remote Desktop Protocol (RDP) access so that you can connect to a Windows compute instance. You can implement this security rule either in a network security group (NSG) that you add the Windows instance to or, in a security list that's used by the instance's subnet. To enable RDP access:

  1. Open the navigation menu, click Networking, and then click Virtual cloud networks.
  2. Under List Scope, select a compartment that you have permission to work in. The page updates to display only the resources in that compartment. If you're not sure which compartment to use, contact an administrator.

  3. Click the VCN you want to create the security rule in.
  4. Do one of the following:

    • Add the rule to a network security group that the instance belongs to:

      1. Under Resources, click Network Security Groups.
      2. Click the network security group to add the rule to.
      3. Click Add Rules.
      4. Enter the following values for the rule:

        • Stateless: Leave the check box cleared.
        • Direction: Ingress
        • Source Type: CIDR
        • Source CIDR: 0.0.0.0/0
        • IP Protocol: RDP (TCP/3389)
        • Source Port Range: All
        • Destination Port Range: 3389
        • Description: An optional description of the rule.
      5. Click Add.
    • To add the rule to a security list that is used by the instance's subnet:

      1. Under Resources, click Security Lists.
      2. Click the security list that you're interested in.
      3. Click Add Ingress Rules.
      4. Enter the following values for the rule:

        • Stateless: Leave the check box cleared.
        • Source Type: CIDR
        • Source CIDR: 0.0.0.0/0
        • IP Protocol: RDP (TCP/3389)
        • Source Port Range: All
        • Destination Port Range: 3389
        • Description: An optional description of the rule.
      5. Click Add Ingress Rules.

Creating an Instance

    1. Open the navigation menu and click Compute. Under Compute, click Instances.
    2. Click Create instance.
    3. Enter a name for the instance. You can add or change the name later. The name doesn't need to be unique, because an Oracle Cloud Identifier (OCID) uniquely identifies the instance. Avoid entering confidential information.
    4. Select the compartment to create the instance in.

      The other resources that you choose can come from different compartments.

    5. In the Placement section, select the Availability domain that you want to create the instance in.

      Important

      If you're creating an instance from a boot volume, you must create the instance in the same availability domain as the boot volume.
    6. (Optional) If you want to choose a capacity type, click Show advanced options in the Placement section and select one of the following options under Capacity Type.
      • On-demand capacity: The instance is launched on a shared host using on-demand capacity. This is the default.
      • Preemptible capacity: This option lets you run the instance on a shared host using preemptible capacity. The capacity is reclaimed when it's needed elsewhere, and the instances are terminated. Select whether to permanently delete the attached boot volume when the capacity is reclaimed and the instance is terminated.
      • Capacity reservation: This option lets you count the instance against a capacity reservation. Select a capacity reservation from the list.
      • Dedicated host: This option lets you run the instance in isolation, so that it is not running on shared infrastructure. Select a dedicated virtual machine host from the list. You can place an instance on a dedicated virtual machine host only when you create the instance.
      • Compute cluster: This option lets you place the instance on a compute cluster, which is a high-bandwidth, ultra-low-latency remote direct memory access (RDMA) network for high-performance computing. Compute clusters let you manage instances in the cluster individually, and you can have different types of instances in the cluster. Select a cluster from the list.
    7. (Optional) If you want to specify a fault domain, click Show advanced options in the Placement section if you have not already done so. Then, select the fault domain to use for the instance.

      If you do not specify the fault domain, the system selects one for you. You can edit the fault domain after you create the instance.

    8. (Optional) In the Security section, you can create a shielded instance or enable confidential computing. Click Edit, and then select the options that you want to enable.

      Tip

      If you can't select the shielded or confidential computing settings that you want, first choose a shape and image that support shielded instances or confidential computing. Then, select the shielded instance or confidential computing settings that you want. An instance can either be shielded or enabled for confidential computing, but it can't be both simultaneously.
    9. In the Image and shape section, select an image  for the instance.

      By default, an Oracle Linux image is used to boot the instance. To select a different image or a boot volume, click Change image. Then in the Select an image panel, select one of the following operating systems or image sources, and click Select image.

      • To use a platform image, select Oracle Linux, Ubuntu, CentOS, or Windows. Select the compartment, and then select an OS version. To choose a different image build, or to see which shapes are compatible with an OS version and image build, click the down arrow for the image.
      • To use a Red Hat Enterprise Linux image, follow the steps in Red Hat Enterprise Linux (RHEL) Images.
      • To use a Marketplace image, select SUSE, AlmaLinux, Rocky Linux, or for other OSs, Marketplace.

        • For Oracle enterprise images and partner images, select the Partner images option, and then select an image. To view more details about an image or to change the image build, click the down arrow for the image. Images in this section include pre-built Oracle enterprise images and solutions enabled for OCI, and trusted third-party images published by Oracle partners.

        • For community images, select the Community images option, and then select an image. You can filter by OS. To view more details about an image, click the down arrow for the image. Community images are custom images created and published by community members for use by other community members. Community images are not available for Windows.

      • To use a custom image that was created or imported into your OCI environment, select My images. Select the Custom images option. Select the compartment, and then select the image.
      • To use a boot volume, select My images. Select the Boot volumes option. Select the compartment, and then select the boot volume.
      • To use a specific version of an image by providing the image OCID , select My images. Select the Image OCID option, and then enter the image OCID. To determine the OCID for platform images, see the image release notes.
    10. In the Image and shape section, select a different shape for the instance, click Change shape. Then, in the Browse all shapes panel, follow these steps:

      1. In the Instance type section, select Virtual machine or Bare metal machine.
      2. If you're creating a virtual machine, in the Shape series section, select a processor group.

        • AMD: (Flexible) Standard shapes that use current-generation AMD processors. AMD shapes are flexible shapes.
        • Intel: (Flexible) Standard and optimized shapes that use current-generation Intel processors. Intel shapes are flexible shapes.
        • Ampere: (Flexible) The Ampere A1 Compute shape, which uses current generation Arm-based processors. The Arm-based shape is a flexible shape. This shape is not supported for Windows.
        • Specialty and previous generation: Standard shapes with previous generation Intel and AMD processors, the Always Free VM.Standard.E2.1.Micro shape, Dense I/O shapes, GPU shapes, and HPC shapes.

        Flexible shapes have a customizable number of OCPUs and amount of memory.

      3. Select a shape.

        Tip

        If a shape is disabled, it means that the shape is either incompatible with the image that you selected previously, or not available in the current availability domain. If you don't see a shape, it means that you don't have service limits for the shape. You can request a service limit increase.
      4. If you selected a flexible shape, provide the following information:

        • For Number of OCPUs, choose the number of OCPUs that you want to allocate to this instance by dragging the slider. The other resources scale proportionately.
        • If you want this to be a burstable instance and the shape supports bursting, select the Burstable option. Then, in the Baseline utilization per OCPU list, select the baseline OCPU utilization for the instance. This value is the percentage of OCPUs that you want to use most of the time.
        • For Amount of memory (GB), choose the amount of memory that you want to allocate to this instance. The amount of memory allowed is based on the number of OCPUs selected.
        • If you want to allocate an extended amount of memory or OCPUs to the instance, you can make this instance an extended memory VM by dragging the slider to Extended OCPU or Extended memory.

        For more information about the minimum memory, maximum memory, and ratio of memory to OCPUs for each shape, see Flexible Shapes.

      5. For bare metal instances, optionally configure advanced BIOS settings, such as disabling simultaneous multithreading, disabling cores, or optimizing the NUMA settings. Click Show advanced BIOS settings, and then select the options that you want to configure. The settings that are available depend on the shape.
      6. For VM instances, if you want to disable simultaneous multithreading, click Show advanced OCPU options, and then uncheck Enable simultaneous multithreading (SMT). Simultaneous multithreading is enabled by default. For more information on disabling SMT, see Disabling Simultaneous Multithreading.
      7. Click Select shape.
    11. In the Primary VNIC information section, configure the network details for the instance.

      For Primary network and Subnet, specify the virtual cloud network (VCN) and subnet to create the instance in. Decide whether you want to use an existing VCN and subnet, create a new VCN or subnet, or enter an existing subnet's OCID:

      Tip

      If you want the instance to have an IPv6 address assigned at launch, you must choose an existing VCN with at least one IPv6 prefix assigned and choose a subnet of that VCN that is enabled to use IPv6.
      Select existing virtual cloud network

      Make the following selections:

      • Virtual cloud network: The VCN the instance uses to connect to other resources. Choose among the VCNs in the selected compartment.
      • Subnet: A subnet within the VCN. Subnets are either public or private. Resources in a private subnet will not be reachable from external hosts on the internet. In the case of IPv4, resources in private subnets can't have public IP addresses. For more information, see Access to the Internet. Subnets can also be either AD-specific or regional (regional ones have "regional" after the name). We recommend using regional subnets. For more information, see About Regional Subnets. If you choose a public subnet, you can also assign the instance a public IPv4 address. A public IP address (with associated security and routing configuration) is required to make this instance accessible from the internet.

        If you choose Select existing subnet, for Subnet, select the subnet. Choose among the subnets in the selected VCN.

        If you choose Create new public subnet, enter the following information:

        • New subnet name: Avoid entering confidential information.
        • Create in compartment: The compartment where you want to put the subnet.
        • CIDR block: A single, contiguous CIDR block for the subnet (for example, 172.16.0.0/24). Make sure it's within the cloud network's CIDR block and doesn't overlap with any other subnets. You cannot change this value later. See Allowed VCN Size and Address Ranges. For reference, here's a CIDR calculator.
      Create new virtual cloud network
      Note

      Creating an instance with IPv6 addresses assigned at launch is not available when you use this option.

      Make the following selections:

      • New virtual cloud network name: A friendly name for the network. Avoid entering confidential information.
      • Create in compartment: The compartment where you want to put the new network.
      • Create new subnet: A subnet within the cloud network to attach the instance to. Subnets are either public or private. Resources in a private subnet will not be reachable from external hosts on the internet. In the case of IPv4, resources in private subnets can't have public IP addresses. For more information, see Access to the Internet. Subnets can also be either AD-specific or regional (regional ones have "regional" after the name). We recommend using regional subnets. For more information, see About Regional Subnets.

      • New subnet name: A friendly name for the subnet. It doesn't have to be unique, and it can be changed later. Avoid entering confidential information.
      • Create in compartment: The compartment where you want to put the subnet.
      • CIDR block: A single, contiguous CIDR block for the subnet (for example, 172.16.0.0/24). Make sure it's within the cloud network's CIDR block and doesn't overlap with any other subnets. See Allowed VCN Size and Address Ranges. For reference, here's a CIDR calculator.
      • If you choose a public subnet, you can also assign the instance a public IPv4 address. A public IP address (with associated security and routing configuration) is required to make this instance accessible from the internet.
      Enter subnet OCID

      For Subnet OCID, enter the subnet OCID.

      If you choose a public subnet, you can also assign the instance a public IPv4 address. A public IP address (with associated security and routing configuration) is required to make this instance accessible from the internet.

    12. In Primary VNIC IP addresses, configure the following:

      • For all subnets, choose to either Automatically assign private IPv4 address (the default) or Manually assign private IPv4 address. When you choose Manually assign private IPv4 address, enter an IPv4 address in an IPv4 CIDR block assigned to the previously chosen subnet. For more information, see Access to the Internet. A private IP address is required for all VNICs.
      • For public IPv4 subnets only, you can Automatically assign public IPv4 address or uncheck the option and not configure a public IPv4 address at this time. You can assign a public IPv4 address later if necessary. A VNIC considers a public IPv4 address optional.
      • (IPv6-enabled subnets only) To add an IPv6 address, check Assign IPv6 addresses from subnet prefixes, select an IPv6 prefix configured for the subnet you selected, and then choose one of the following:
        • Automatically assign IPv6 addresses from prefix: Choose this option to let the OCI select an available IPv6 address from an IPv6 prefix assigned to this subnet. A subnet can have more than one IPv6 prefix.
        • Manually assign IPv6 addresses from prefix: Choose this option to select a specific address from an IPv6 prefix assigned to this subnet. Example: 0000:0000:1a1a:1a2b.

          If you click + Another subnet prefix you can assign additional IPv6 addresses to the instance VNIC. You can assign one and only one IPv6 address to the VNIC from each IPv6 prefix (there can be several IPv6 prefixes assigned to a subnet).

    13. (Optional) If you want to configure advanced networking settings, click Show advanced options. The following options are available:

      • Use network security groups to control traffic: Select this option if you want to add the instance's primary VNIC to one or more network security groups (NSGs). Then, specify the NSGs. This option is available only when you use an existing VCN. For more information, see Network Security Groups.
      • DNS record: Select whether to assign the VNIC a private DNS record. For more information, see DNS in Your Virtual Cloud Network.
      • Hostname: Enter a hostname to use for DNS within the VCN. This field is available only if the VCN and subnet both have DNS labels, and you select the option to assign a private DNS record.
      • Launch options: Select the networking launch type. This option is available only for VMs.
      • VCN tags and Subnet tags tabs: If you create a new VCN and subnet, these tabs are available. If you have permissions to create these resources, then you also have permissions to apply free-form tags to the resources. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you're not sure whether to apply tags, skip this option (you can apply tags later) or ask an administrator.
    14. (Optional) In Secondary VNIC, click Add VNIC and enter the following information:

      • VNIC Name: A friendly name for the secondary VNIC. The name doesn't have to be unique, and you can change it later. Avoid entering confidential information.
      • Virtual cloud network: The VCN that contains the subnet of interest.
      • Subnet: The subnet the secondary VNIC will be in, which must be in the same availability domain as the instance's primary VNIC. The subnet list includes any regional subnets or AD-specific subnets in the primary VNIC's availability domain.
      • Physical NIC: Only relevant if this is a bare metal instance with two active physical NICs. Select which one you want the secondary VNIC to use. When you later view the instance's details and the list of VNICs attached to the instance, they'll be grouped by NIC 0 and NIC 1.
      • For all subnets, choose to either Automatically assign private IPv4 address (the default) or Manually assign private IPv4 address. When you choose Manually assign private IPv4 address, enter an IPv4 address in the CIDR block assigned to the previously chosen subnet. For more information, see Access to the Internet. A private IP address is required for all VNICs.
      • For public IPv4 subnets only, you can Automatically assign public IPv4 address or uncheck the option and not configure a public IPv4 address at this time. You can assign a public IPv4 address later if necessary. A VNIC considers a public IP address optional.
      • (IPv6-enabled subnets only) To add an IPv6 address, check Assign IPv6 addresses from subnet prefixes, select an IPv6 prefix configured for the subnet you selected, and then choose one of the following:
        • Automatically assign IPv6 addresses from prefix: Choose this option to let the console select an available IPv6 address from an IPv6 prefix assigned to this subnet. A subnet can have more than one IPv6 prefix.
        • Manually assign IPv6 addresses from prefix: Choose this option to select a specific address from an IPv6 prefix assigned to this subnet. Example: 2001:db8:1a1a:1a2b.

        If you click + Another subnet prefix you can assign additional IPv6 addresses to the instance VNIC. You can assign one and only one IPv6 address to the VNIC from each IPv6 prefix (there can be several IPv6 prefixes assigned to a subnet). If this VNIC is being attached to an existing instance after its launch, keep in mind that your instance OS needs specific configuration to use IPv6 addressing.

      Adding a secondary VNIC is entirely optional and will require further configuration in the instance OS.

    15. (Linux instances) In the Add SSH keys section, generate an SSH key pair or upload your own public key. Select one of the following options:
      • Generate a key pair for me: Oracle Cloud Infrastructure generates an RSA key pair for the instance. Click Save Private Key, and then save the private key on your computer. Optionally, click Save Public Key and then save the public key.

        Caution

        Anyone who has access to the private key can connect to the instance. Store the private key in a secure location.
        Important

        To use a key pair that is generated by Oracle Cloud Infrastructure, you must access the instance from a system that has OpenSSH installed. UNIX-based systems (including Linux and OS X), Windows 10, and Windows Server 2019 should have OpenSSH. For more information, see Managing Key Pairs on Linux Instances.
      • Upload public key files (.pub): Upload the public key portion of your key pair. Either browse to the key file that you want to upload, or drag and drop the file into the box. To provide multiple keys, press and hold down the Command key (on Mac) or the Ctrl key (on Windows) while selecting files.
      • Paste public keys: Paste the public key portion of your key pair in the box.
      • No SSH keys: Select this option only if you do not want to connect to the instance using SSH. You can't provide a public key or save the key pair that is generated by Oracle Cloud Infrastructure after the instance is created.
      Tip

      If you try to upload or paste a private key, an error occurs.
    16. In the Boot volume section, configure the size and encryption options for the instance's boot volume:

      • To specify a custom size for the boot volume, select the Specify a custom boot volume size check box. Then, enter a custom size from 50 GB to 32 TB. The specified size must be larger than the default boot volume size for the selected image.

        Important

        For Windows Server 2012 R2 Datacenter images and Windows platform images published before October 2021, the custom boot volume size must be larger than the image's default boot volume size or 256 GB, whichever is higher.

        You can specify the volume performance for boot volumes. The default performance is Balanced. You can modify the performance setting after you create the instance.

      • For VM instances, you can optionally select the Use in-transit encryption check box. For bare metal instances that support in-transit encryption, it is enabled by default and is not configurable. See Block Volume Encryption for more information about in-transit encryption. If you are using your own Vault service encryption key for the boot volume, then this key is also used for in-transit encryption. Otherwise, the Oracle-provided encryption key is used.
      • Boot volumes are encrypted by default, but you can optionally use your own Vault service encryption key to encrypt the data in this volume. To use the Vault service for your encryption needs, select the Encrypt this volume with a key that you manage check box. Select the vault compartment and vault that contains the master encryption key that you want to use, and then select the master encryption key compartment and master encryption key. If you select this option, this key is used to encrypt data at rest and in-transit.
        Important

        The Block Volume service does not support encrypting volumes with keys encrypted using the Rivest-Shamir-Adleman (RSA) algorithm. When using your own keys, you must use keys encrypted using the Advanced Encryption Standard (AES) algorithm. This condition applies to block volumes and boot volumes.
    17. In the Live migration area, select whether to live migrate the instance to a healthy physical VM host without any notification or disruption. We recommend using live migration.
      • If you select the Live migration option (the default) and live migration isn't successful, reboot migration is used. Some shapes do not support live migration.
      • If you don't select this option, a notification is sent for the maintenance event. The instance is live migrated if you do not proactively reboot the instance before the due date.

        By default, if an instance is running when a maintenance event affects the underlying infrastructure, the instance is rebooted after it is recovered. Clear the Reboot after maintenance check box if you want the instance to be recovered in the stopped state.

      Free tier live migration options

      In a free tier account, live migration might appear under Show advanced options on the Availability tab. You can configure the following options for supported shapes:

      • In the Live migration section, select an option:

        • Let Oracle Cloud Infrastructure choose the best migration option: Select this option to let Oracle Cloud Infrastructure choose the best option to migrate the instance to a healthy physical VM host if an underlying infrastructure component needs to undergo maintenance.
        • Use live migration if possible: Select this option to have the instance live migrated to a healthy physical VM host without any notification or disruption. If live migration isn't successful, reboot migration is used. Some shapes do not support live migration.
        • Opt-out: Select this option to have a notification sent for the maintenance event. The instance is live migrated if you do not proactively reboot the instance before the due date.
      • Restore instance lifecycle state after infrastructure maintenance: By default, if an instance is running when a maintenance event affects the underlying infrastructure, the instance is rebooted after it is recovered. Clear this check box if you want the instance to be recovered in the stopped state.

    18. (Optional) To configure advanced settings, click Show advanced options. The following options are available:

      • On the Management tab, you can configure the following options:

        • Require an authorization header: Select this check box to require that all requests to the instance metadata service (IMDS) use the version 2 endpoint and include an authorization header. Requests to IMDSv1 are denied. The image must support IMDSv2.
        • Initialization script: User data can be used by cloud-init to run custom scripts or provide custom cloud-init configuration. Cloudbase-init is used on Windows. Browse to the file that you want to upload, or drag the file into the box. The file or script does not need to be base64-encoded, because the Console performs this encoding when the information is submitted. For information about how to take advantage of user data, see the cloud-init documentation and the cloudbase-init documentation. The total maximum size for user data and other metadata that you provide is 32,000 bytes.

          Caution

          Do not include anything in the script that could trigger a reboot, because that could impact the instance launch and cause it to fail. Any actions that require a reboot should be performed only after the instance state is Running.
        • Tagging: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you're not sure whether to apply tags, skip this option or ask an administrator. You can apply tags later.
      • On the Oracle Cloud Agent tab, choose which plugins you want to enable when the instance is launched. Plugins collect performance metrics, install OS updates, and perform other instance management tasks.

        Important

        After you create the instance, you might need to perform additional configuration tasks before you can use each plugin.
    19. Click Create.

      To track the progress of the operation and troubleshoot errors that occur during instance creation, use the associated work request.

  • Use the instance launch command and required parameters to create an instance:

    oci compute instance launch --from-json <file://path/to/file.json>

    <file://path/to/file.json> is the path to a JSON file that defines the instance details. For information about how to generate an example of the JSON file, see Advanced JSON Options.

    For a complete list of flags and variable options for the Compute Service CLI commands, see the command line reference for Compute.

  • Use these API operations to create instances:

    You can also launch instances from images that are published by Oracle partners in the Partner Image catalog. Use these APIs to work with the Partner Image catalog listings:

What's Next