You first create an NFS volume, and then you mount your NFS exports to Compute Engine instances.
An NFS volume can use NFSv3 or NFSv4.1. The following considerations apply:
- About NFS versions: NFSv3 can handle a variety of use cases and is commonly deployed in most enterprise applications. You should validate what version (NFSv3 or NFSv4.1) your application requires and create your volume using the appropriate version. For example, if you use Apache ActiveMQ, file locking with NFSv4.1 is recommended over NFSv3.
- Security: Support for UNIX mode bits (read, write, and execute) is available for NFSv3 and NFSv4.1. Root-level access is required on the NFS client to mount NFS volumes.
- Local user/group and LDAP support for NFSv4.1: Currently, NFSv4.1 supports root access to volumes only.
- After you create an NFS volume, you cannot change the protocol type between NFSv3 and NFSv4.1.
- The CVS service type does not currently support NFSv4.1. If you want to use NFSv4.1, use the CVS-Performance type to create a NFSv4.1 volume.
NFS users are generally limited to 16 group identifiers (GIDs). The CVS-Performance service type supports a larger number of GIDs through extended groups support with LDAP, which is enabled by default. Currently, this capability is only supported with the Active Directory LDAP service. For more information, see Creating an AD connection.
Creating an NFS volume
You can create an NFS volume with either the general-purpose CVS service type or the CVS-Performance service type. The service type that you select for a volume depends on the workload needs that you have for that volume. By default, an NFS volume is created using the CVS service type. For more information, see Service types.
In the Cloud Console, go to the Volumes page.
On the Create File System page, specify the name and options for your volume as indicated in the following table.
Required fields are marked with an asterisk (*).
Field Description CVS CVS-Performance Name* Name displayed for the volume. Service Type*
CVS or CVS-Performance service type.
Each service type offers different service levels, and the service levels are offered in different regions. For details, see Service types.
Region* Google Cloud region for your volume. For more information, see Best practices for Compute Engine region selection. Zone* Google Cloud zone for your volume. Volume Path* The system automatically generates a recommended volume path. The name must be unique across all of your cloud volumes. Service Level*
- For the CVS service type, select the level of availability for the volume.
- For the CVS-Performance service type, select the level of performance for the volume.
Snapshot Allows you to create a volume based on a snapshot. For details, see Creating and managing volume snapshots. Allocated Capacity* Size of the cloud volume. The minimum size is 1,024 GiB (1 TiB). Protocol Type* The NFS protocol that applies to your service type: NFSv3, NFSv4.1, or Both (NFSv3/NFSv4.1). Make snapshot directory (.snapshot) visible Makes your snapshot directory visible to the client as a
~snapshothidden directory in the root of the mapped share. Enables Previous Versions access in Windows Explorer.
In the Network Details section, specify the following:
Shared VPC configuration: The VPC network can be part of a host project in a shared VPC network, or it can be a standalone project. If you have a host project and shared VPC topology, select Shared VPC configuration. For standalone projects, leave the box cleared.
VPC Network Name: Select the network from which the volume will be accessible.
If this is the first time that you're setting up VPC peering for Cloud Volumes Service, you receive the following prompt indicating that you need to set up network peering:
Click the View commands how to set up network peering button. To configure VPC peering, follow the steps in the dialog that appears.
Optionally, you can specify a custom CIDR range by selecting Use Custom Address Range. This allows you to, for example, specify a CIDR range that doesn't overlap with your on-premises CIDR blocks. To allow for future flexibility, you can increase the CIDR block size (prefix range). The CIDR range can't be changed or edited later.
For more information, see Setting up private services access.
To manage export policy rules for the volume, expand Show export policy and do the following:
- Click Add Rule to define the allowed clients and their access type.
- In the Allowed clients field, enter the IP address or range of addresses that are allowed to connect to the cloud volume.
To select the type of access these IP addresses have to the cloud volume, select Read & Write or Read Only.
Root Access is enabled by default and is only available for the CVS-Performance service type. This setting corresponds to the
no_root_squashoption on other NFS servers.
To disable this option, select Off.
Select the checkbox for the corresponding NFS version for which you want to give access. You can add additional rules as needed.
The protocol type allowed for the export must match the protocol type that you previously selected. A warning appears if the protocol type you select to allow for export does not match the protocol type selected for the volume.
You will not be able to access your NFS volumes unless you add an export policy.
To manage the snapshot policy for the volume, expand Show snapshot policy, select Allow automatic snapshots, specify the snapshot schedules, and specify the number of snapshots to keep.
For details, see Managing snapshot policies.
Click Save to create the volume.
The new volume appears in the Volumes list.
Mounting NFS exports to Compute Engine instances
In the Cloud Console, go to the Volumes page.
Click the NFS volume for which you want to mount NFS exports.
Scroll to the right, click More more_vert, and then click Mount Instructions.
Follow the instructions in the Mount Instructions for NFS window.
The mounting instructions might be slightly different depending on which NFS protocol you have configured for the volume. The following example is for NFSv4.1.
Disabling root access to the volume
By default, root access to a volume is enabled. This corresponds to the
no_root_squash option on other NFS servers.
You can disable root access to a volume with the UI or the API. This option is only available for volumes of the CVS-Performance service type.
You can enable or disable root access when you create or edit a volume.
For details of enabling or disabling root access with the UI, see Creating an NFS volume.
For an example of disabling root access with the API, see
Update volume with
Configuring NFSv4.1 Kerberos encryption
Cloud Volumes Service supports NFS client encryption in Kerberos modes krb5, krb5i, and krb5p, with AES-256 encryption.
You can enable NFSv4.1 Kerberos encryption when you create a volume with the console UI or with the API.
For more information about NFS Kerberos in ONTAP, see the ONTAP technical report (PDF).
Enable Kerberos encryption with the console UI
When you create the NFSv4.1 volume for the CVS-Performance service type, select Enable Kerberos in the Volume details section of the Create file system page.
Manage Kerberos encryption with the API
For an example of creating a volume with Kerberos encryption using the API, see Create NFS volume with NFSv4 Kerberos encryption.
You can use the
createVol API to create a volume with parameters for Kerberos
encryption (types krb5, krb5i, krb5p) and the
kerberosEnabled flag. The
createVol API performs validation to make sure that the
and Kerberos export policy rules match.
updateVolume API, you can’t change whether a volume has Kerberos
encryption enabled. The
updateVolume API doesn’t provide a
field. You can only modify export policy rules with the
You can use the
getVolumeDetails API to return the parameters for export
policy rules and the
- Monitoring cloud volumes
- Creating and managing volume snapshots
- Reverting a volume using a snapshot
- Backing up and restoring a cloud volume
- Security considerations
- FAQs about NetApp Cloud Volumes Service for Google Cloud
- Resource limits and quotas