Creating and managing NFS volumes

You first create an NFS volume, and then you mount your NFS exports to Compute Engine instances.

Before you create an NFS volume, you must complete the steps in Enabling billing and APIs and Setting up private service access; otherwise, the volume creation process fails.


An NFS volume can use NFSv3 or NFSv4.1. The following considerations apply:

  • About NFS versions: NFSv3 can handle a variety of use cases and is commonly deployed in most enterprise applications. You should validate what version (NFSv3 or NFSv4.1) your application requires and create your volume using the appropriate version. For example, if you use Apache ActiveMQ, file locking with NFSv4.1 is recommended over NFSv3.
  • Security: Support for UNIX mode bits (read, write, and execute) is available for NFSv3 and NFSv4.1. Root-level access is required on the NFS client to mount NFS volumes.
  • Local user/group and LDAP support for NFSv4.1: Currently, NFSv4.1 supports root access to volumes only.
  • After you create an NFS volume, you cannot change the protocol type between NFSv3 and NFSv4.1.
  • The CVS service type does not currently support NFSv4.1. If you want to use NFSv4.1, use the CVS-Performance type to create a NFSv4.1 volume.

For information about managing local users for an NFS volume, see the Linux manual pages for the passwd and group commands.

NFS users are generally limited to 16 group identifiers (GIDs). The CVS-Performance service type supports a larger number of GIDs through extended groups support with LDAP, which is enabled by default. Currently, this capability is only supported with the Active Directory LDAP service. For more information, see Creating an AD connection.

Creating an NFS volume

You can create an NFS volume with either the general-purpose CVS service type or the CVS-Performance service type. The service type that you select for a volume depends on the workload needs that you have for that volume. By default, an NFS volume is created using the CVS service type. For more information, see Service types.

  1. In the Cloud Console, go to the Volumes page.

    Go to the Volumes page

  2. Click Create.

  3. On the Create File System page, specify the name and options for your volume as indicated in the following table.

    Required fields are marked with an asterisk (*).

    Field Description CVS CVS-Performance
    Name* Name displayed for the volume.
    Service Type*

    CVS or CVS-Performance service type.

    Each service type offers different service levels, and the service levels are offered in different regions. For details, see Service types.

    Region* Google Cloud region for your volume. For more information, see Best practices for Compute Engine region selection.
    Zone* Google Cloud zone for your volume.
    Volume Path* The system automatically generates a recommended volume path. The name must be unique across all of your cloud volumes.
    Service Level*
    • For the CVS service type, select the level of availability for the volume.
    • For the CVS-Performance service type, select the level of performance for the volume.
    Snapshot Allows you to create a volume based on a snapshot. For details, see Creating and managing volume snapshots.
    Allocated Capacity* Size of the cloud volume. The minimum size is 1,024 GiB (1 TiB).
    Protocol Type* The NFS protocol that applies to your service type: NFSv3, NFSv4.1, or Both (NFSv3/NFSv4.1).
    Make snapshot directory (.snapshot) visible Makes your snapshot directory visible to the client as a ~snapshot hidden directory in the root of the mapped share. Enables Previous Versions access in Windows Explorer.
  4. In the Network Details section, specify the following:

    • Shared VPC configuration: The VPC network can be part of a host project in a shared VPC network, or it can be a standalone project. If you have a host project and shared VPC topology, select Shared VPC configuration. For standalone projects, leave the box cleared.

    • VPC Network Name: Select the network from which the volume will be accessible.

    • If this is the first time that you're setting up VPC peering for Cloud Volumes Service, you receive the following prompt indicating that you need to set up network peering:

      Network peering not set up

      Click the View commands how to set up network peering button. To configure VPC peering, follow the steps in the dialog that appears.

    • Optionally, you can specify a custom CIDR range by selecting Use Custom Address Range. This allows you to, for example, specify a CIDR range that doesn't overlap with your on-premises CIDR blocks. To allow for future flexibility, you can increase the CIDR block size (prefix range). The CIDR range can't be changed or edited later.

    For more information, see Setting up private services access.

  5. To manage export policy rules for the volume, expand Show export policy and do the following:

    1. Click Add Rule to define the allowed clients and their access type.
    2. In the Allowed clients field, enter the IP address or range of addresses that are allowed to connect to the cloud volume.
    3. To select the type of access these IP addresses have to the cloud volume, select Read & Write or Read Only.

    4. Root Access is enabled by default and is only available for the CVS-Performance service type. This setting corresponds to the no_root_squash option on other NFS servers.

      To disable this option, select Off.

    5. Select the checkbox for the corresponding NFS version for which you want to give access. You can add additional rules as needed.

      The protocol type allowed for the export must match the protocol type that you previously selected. A warning appears if the protocol type you select to allow for export does not match the protocol type selected for the volume.

    You will not be able to access your NFS volumes unless you add an export policy.

  6. To manage the snapshot policy for the volume, expand Show snapshot policy, select Allow automatic snapshots, specify the snapshot schedules, and specify the number of snapshots to keep.

    For details, see Managing snapshot policies.

    Snapshot policy page

  7. Click Save to create the volume.

    The new volume appears in the Volumes list.

    Volumes list

Mounting NFS exports to Compute Engine instances

  1. In the Cloud Console, go to the Volumes page.


  2. Click the NFS volume for which you want to mount NFS exports.

  3. Scroll to the right, click More , and then click Mount Instructions.

    Create NFS volume

  4. Follow the instructions in the Mount Instructions for NFS window.

    The mounting instructions might be slightly different depending on which NFS protocol you have configured for the volume. The following example is for NFSv4.1.

    NFS mount instructions

Disabling root access to the volume

By default, root access to a volume is enabled. This corresponds to the no_root_squash option on other NFS servers.

You can disable root access to a volume with the UI or the API. This option is only available for volumes of the CVS-Performance service type.

You can enable or disable root access when you create or edit a volume.

For details of enabling or disabling root access with the UI, see Creating an NFS volume.

For an example of disabling root access with the API, see Update volume with rootAccess disabled.

Configuring NFSv4.1 Kerberos encryption

Cloud Volumes Service supports NFS client encryption in Kerberos modes krb5, krb5i, and krb5p, with AES-256 encryption.

You can enable NFSv4.1 Kerberos encryption when you create a volume with the console UI or with the API.

For more information about NFS Kerberos in ONTAP, see the ONTAP technical report (PDF).

Enable Kerberos encryption with the console UI

When you create the NFSv4.1 volume for the CVS-Performance service type, select Enable Kerberos in the Volume details section of the Create file system page.

Manage Kerberos encryption with the API

For an example of creating a volume with Kerberos encryption using the API, see Create NFS volume with NFSv4 Kerberos encryption.

createVol: You can use the createVol API to create a volume with parameters for Kerberos encryption (types krb5, krb5i, krb5p) and the kerberosEnabled flag. The createVol API performs validation to make sure that the kerberosEnabled flag and Kerberos export policy rules match.

updateVolume: Using the updateVolume API, you can’t change whether a volume has Kerberos encryption enabled. The updateVolume API doesn’t provide a kerberosEnabled field. You can only modify export policy rules with the updateVolume API.

getVolumeDetails: You can use the getVolumeDetails API to return the parameters for export policy rules and the kerberosEnabled flag.

What's next