nextflow-io · ejseqera · Apr 22, 2025 · Apr 22, 2025
@@ -882,6 +882,11 @@ The following settings are available for Google Cloud Batch:
   - projects/{project}/global/networks/{network}
   - global/networks/{network}
 
+`google.batch.networkTags`
+: The network tags to be applied to the instances created by Google Batch jobs. Network tags are used to apply firewall rules and control network access (e.g., `['allow-ssh', 'allow-http']`). 
+
+: Network tags are ignored when using instance templates. See [Add network tags](https://cloud.google.com/vpc/docs/add-remove-network-tags) for more information.
+
 `google.batch.serviceAccountEmail`
 : Define the Google service account email to use for the pipeline execution. If not specified, the default Compute Engine service account for the project will be used.
 

@@ -64,6 +64,14 @@ Max number of execution attempts of a job interrupted by a Compute Engine spot r
     """)
     public String network;
 
+    @ConfigOption
+    @Description("""
+        The network tags to be applied to the instances created by Google Batch jobs (e.g., `['allow-ssh', 'allow-http']`).
+
+        [Read more](https://cloud.google.com/vpc/docs/add-remove-network-tags)
+    """)
+    public List<String> networkTags;
+
     @ConfigOption
     @Description("""
         The Google service account email to use for the pipeline execution. If not specified, the default Compute Engine service account for the project will be used.

diff --git a/plugins/nf-google/src/main/nextflow/cloud/google/batch/GoogleBatchTaskHandler.groovy b/plugins/nf-google/src/main/nextflow/cloud/google/batch/GoogleBatchTaskHandler.groovy
@@ -293,6 +293,10 @@ class GoogleBatchTaskHandler extends TaskHandler implements FusionAwareTask {
 
         allocationPolicy.putAllLabels( task.config.getResourceLabels() )
 
+        // Add network tags if configured
+        if( executor.config.networkTags )
+            allocationPolicy.addAllTags( executor.config.networkTags )
+
         // use instance template if specified
         if( task.config.getMachineType()?.startsWith('template://') ) {
             if( task.config.getAccelerator() )
@@ -307,6 +311,9 @@ class GoogleBatchTaskHandler extends TaskHandler implements FusionAwareTask {
             if( executor.config.cpuPlatform )
                 log.warn1 'Config option `google.batch.cpuPlatform` ignored because an instance template was specified'
 
+            if( executor.config.networkTags )
+                log.warn1 'Config option `google.batch.networkTags` ignored because an instance template was specified'
+
             if( executor.config.preemptible )
                 log.warn1 'Config option `google.batch.premptible` ignored because an instance template was specified'
 

diff --git a/plugins/nf-google/src/main/nextflow/cloud/google/batch/client/BatchConfig.groovy b/plugins/nf-google/src/main/nextflow/cloud/google/batch/client/BatchConfig.groovy
@@ -51,6 +51,7 @@ class BatchConfig {
     private String network
     private String subnetwork
     private String serviceAccountEmail
+    private List<String> networkTags
     private BatchRetryConfig retryConfig
     private List<Integer> autoRetryExitCodes
     private List<String> gcsfuseOptions
@@ -69,6 +70,7 @@ class BatchConfig {
     String getNetwork() { network }
     String getSubnetwork() { subnetwork }
     String getServiceAccountEmail() { serviceAccountEmail }
+    List<String> getNetworkTags() { networkTags }
     BatchRetryConfig getRetryConfig() { retryConfig }
     List<Integer> getAutoRetryExitCodes() { autoRetryExitCodes }
     List<String> getGcsfuseOptions() { gcsfuseOptions }
@@ -89,6 +91,7 @@ class BatchConfig {
         result.network = session.config.navigate('google.batch.network')
         result.subnetwork = session.config.navigate('google.batch.subnetwork')
         result.serviceAccountEmail = session.config.navigate('google.batch.serviceAccountEmail')
+        result.networkTags = session.config.navigate('google.batch.networkTags', List.of()) as List<String>
         result.retryConfig = new BatchRetryConfig( session.config.navigate('google.batch.retryPolicy') as Map ?: Map.of() )
         result.autoRetryExitCodes = session.config.navigate('google.batch.autoRetryExitCodes', DEFAULT_RETRY_LIST) as List<Integer>
         result.gcsfuseOptions = session.config.navigate('google.batch.gcsfuseOptions', DEFAULT_GCSFUSE_OPTS) as List<String>

diff --git a/plugins/nf-google/src/test/nextflow/cloud/google/batch/GoogleBatchTaskHandlerTest.groovy b/plugins/nf-google/src/test/nextflow/cloud/google/batch/GoogleBatchTaskHandlerTest.groovy
@@ -149,6 +149,7 @@ class GoogleBatchTaskHandlerTest extends Specification {
                 getAutoRetryExitCodes() >> [50001,50002]
                 getSpot() >> true
                 getNetwork() >> 'net-1'
+                getNetworkTags() >> ['tag1', 'tag2']
                 getServiceAccountEmail() >> 'foo@bar.baz'
                 getSubnetwork() >> 'subnet-1'
                 getUsePrivateAddress() >> true
@@ -219,6 +220,7 @@ class GoogleBatchTaskHandlerTest extends Specification {
         allocationPolicy.getInstances(0).getInstallGpuDrivers() == true
         allocationPolicy.getLabelsMap() == [foo: 'bar']
         allocationPolicy.getServiceAccount().getEmail() == 'foo@bar.baz'
+        allocationPolicy.getTagsList() == ['tag1', 'tag2']
         and:
         instancePolicy.getAccelerators(0).getCount() == 1
         instancePolicy.getAccelerators(0).getType() == ACCELERATOR.type