GCP Compute Engine

Production VPS guide on Google Cloud Platform. Docker deployment with durable state. ~$5-12/month.

GCP Compute Engine provides a production-grade VPS for OpenClaw with Google's infrastructure reliability, global regions, and integration with the broader Google Cloud ecosystem. The deployment follows the same Docker Compose pattern as the Hetzner guide but leverages GCP-specific tooling — gcloud CLI for provisioning, IAP tunneling for secure access, and Google Cloud's monitoring stack. The setup creates a Compute Engine VM (e2-small with 2GB RAM is the recommended minimum), installs Docker, clones the OpenClaw repo, and deploys via Docker Compose. GCP's advantage is its integration with other Google services — if you're already using Google Workspace, Cloud Storage, or Vertex AI, having OpenClaw on GCP simplifies networking and authentication. The gcloud CLI provides seamless SSH access with gcloud compute ssh, eliminating manual SSH key management. Pricing is more complex than flat-rate providers like Hetzner. An e2-small (2 vCPU, 2GB RAM) costs ~$12/month in us-central1. The e2-micro (free tier eligible) has only 1GB shared RAM which is too small for Docker builds — it will OOM with exit code 137. For cost optimization, use committed use discounts or spot/preemptible instances for non-critical deployments. GCP's free tier includes 1 e2-micro instance, but it's insufficient for a production OpenClaw deployment. Access to the Control UI uses GCP's built-in SSH tunneling: gcloud compute ssh YOUR_VM -- -N -L 18789:127.0.0.1:18789. This is simpler than manual SSH key setup since gcloud handles authentication through your Google account. For always-on access, consider Identity-Aware Proxy (IAP) or a Tailscale mesh network. The GCP guide mirrors the Hetzner guide's architecture: Docker containers with host-mounted persistent directories, baked-in binaries for deterministic deployments, and SSH tunnel access for the Control UI. The main differences are GCP's pricing model, gcloud tooling, and enterprise features like Cloud Monitoring and Cloud Logging integration.

Tags: gcp, google-cloud, vps, docker

Use Cases

  • Teams already on Google Cloud who want OpenClaw integrated with their existing infrastructure
  • Enterprise deployments requiring Google's compliance certifications and SLAs
  • Developers who use gcloud CLI daily and want a familiar deployment workflow
  • Multi-region deployments leveraging GCP's global network for low-latency access
  • Organizations that need Cloud Monitoring and Cloud Logging integration for observability

Tips

  • Use gcloud compute ssh for seamless SSH access without manual key management: gcloud compute ssh YOUR_VM -- -N -L 18789:127.0.0.1:18789
  • Set budget alerts in GCP Billing to catch unexpected charges early — especially for egress bandwidth
  • Use e2-medium (4GB RAM) if you plan to run Docker builds frequently or need agent sandboxing headroom
  • Enable GCP's Identity-Aware Proxy (IAP) for zero-trust access to the Control UI without SSH tunneling
  • Set up automatic VM startup scheduling to stop the instance overnight if you don't need 24/7 availability
  • Use committed use discounts for 1- or 3-year terms to reduce costs by 30-60% on long-running instances
  • Take disk snapshots before major updates for quick rollback

Known Issues & Gotchas

  • The free tier e2-micro (1GB RAM) is too small for Docker builds — OOM kills with exit code 137. Use e2-small (2GB) minimum
  • GCP pricing is complex and usage-based — set budget alerts to avoid surprise charges from sustained-use or egress fees
  • Firewall rules must be configured explicitly in VPC Network — GCP doesn't use UFW or iptables directly
  • The boot disk is only 10GB by default — specify 20GB+ when creating the VM for Docker images and workspace data
  • gcloud CLI must be installed and authenticated on your local machine for SSH tunneling — Cloud Console SSH is an alternative
  • Preemptible/spot instances are cheaper but can be terminated with 30s notice — not suitable for always-on deployments
  • GCP's default network allows all internal traffic — restrict firewall rules to only necessary ports

Alternatives

  • Hetzner VPS
  • Oracle Cloud (Always Free)
  • Fly.io
  • DigitalOcean Droplet
  • AWS EC2

Community Feedback

If you're already on Google Cloud for other services, running OpenClaw on a Compute Engine VM is the path of least resistance. gcloud SSH makes access painless.

— Reddit r/AI_Agents

A practical guide to securing your AI assistant on GCP — use IAP tunneling instead of exposing ports, and leverage Google's VPC firewall rules for defense in depth.

— Medium

GCP's free tier e2-micro is tempting but it's 1GB RAM. Docker build will OOM. You need at least e2-small at ~$12/month, at which point Hetzner at €4/month looks a lot better.

— Reddit r/selfhosted

Frequently Asked Questions

Which machine type should I choose?

e2-small (2 vCPU, 2GB RAM, ~$12/mo) is the minimum recommended. e2-medium (4GB RAM, ~$25/mo) gives more headroom for Docker builds and agent sandboxing. The free tier e2-micro (1GB) is insufficient.

How do I access the Control UI?

Use gcloud SSH tunneling: gcloud compute ssh YOUR_VM -- -N -L 18789:127.0.0.1:18789. Open http://127.0.0.1:18789/ in your browser. For persistent access, consider IAP or Tailscale.

Is the GCP free tier enough for OpenClaw?

No. The free tier e2-micro has only 1GB shared RAM, which OOMs during Docker image builds. You need a paid e2-small at minimum. GCP's free tier is useful for testing but not production OpenClaw.

How do I update OpenClaw on GCP?

SSH into the VM, cd to the openclaw directory, run git pull, then docker compose build && docker compose up -d. Take a disk snapshot before updating for easy rollback.

Can I use GCP's free credits for OpenClaw?

Yes. New GCP accounts get $300 in free credits for 90 days. An e2-small for 3 months costs ~$36, well within the free credit budget. Good for evaluation before committing.

How do I set up firewall rules?

Use GCP VPC firewall rules instead of UFW. By default, block all incoming traffic except SSH (port 22). If exposing the gateway, add a rule for port 18789 with source IP restrictions. IAP tunneling is the recommended approach.