Creating and managing SMB volumes

Before you can create and manage SMB volumes, you must review security considerations regarding SMB access. You must also add an Active Directory (AD) connection. Currently, Cloud Volumes Service supports only one AD connection per Google Cloud region per project. You can only associate a cloud volume in a region with the AD connection in the same region.

The following diagram shows how Cloud Volumes Service works with Windows applications on Google Cloud:

Cloud Volumes Service Windows

For more information about SMB services provided by Cloud Volumes Service for Google Cloud, see SMB performance FAQs.

Creating an AD connection

You can set up an AD connection for Cloud Volumes Service to an AD configured on Compute Engine or to an on-premises Active Directory service if the on-premises network is connected to Google Cloud.

For information about creating and setting up Active Directory, see Federating Google Cloud with Active Directory.

  1. In the Cloud Console, go to Cloud Volumes.

    Go to the Cloud Volumes page

  2. Select Active Directory connections, and then click Create.

  3. In the Create Active Directory Connection dialog, enter the information indicated in the following table.

    Required fields are marked with an asterisk (*).

    Field Description CVS CVS-Performance
    Credentials for the AD account with permissions to create the computer account within the specified organizational unit.
    Connection type*

    Specifies whether an AD connection will be used for volumes of the CVS service type or volumes of the CVS-Performance service type.

    You can mark existing AD connections with the AD connection type to avoid problems when creating new volumes or editing parameters of that AD connection. Specifying the wrong connection type for an existing AD connection can cause problems with creating new volumes or editing parameters of that AD connection.

    Domain* Fully qualified domain name for the AD domain.
    Site Name of an AD site to limit discovery of AD domain controllers. Use when multiple AD connections in different regions are configured.
    DNS Servers*

    IP addresses for DNS servers that hold the DNS records for the AD domain. The CVS-Performance service type checks all IP addresses listed. The CVS service type uses the first IP address listed.

    This setting is used to find suitable AD domain controllers (DCs) using DNS-based discovery. A random DC is picked from the returned list. The DNS server specified is not necessarily the server used as the DC. The CVS-Performance service type supports connecting to any AD DCs in the peered VPC network, independent of the Google Cloud region. The CVS service type only supports connecting to AD DCs located in the same region. For the CVS service type, you must limit the list to DCs within the region to avoid volume creation timeouts or SMB access issues. For more information, see How can I identify Active Directory domain controllers used by CVS and CVS-Performance?.

    NetBIOS* Create a unique name. Used as the prefix in the share name path (10 characters or fewer).
    Organizational Unit LDAP path for the organizational unit where the computer account will be created.
    Enable AES Encryption for AD authentication Enables AES-128 and AES-256 encryption for Kerberos-based communication with Active Directory.
    Kerberos Realm Used with NFSv4.1 Kerberos volumes to create the service principal name machine account. AD Server Name and Key Distribution Center (KDC) IP can be the same server.
    Region* Associates the AD connection that you're creating with a single region.
    Allow local NFS users with LDAP The AD connection supports NFS extended groups (greater than 16 GIDs) with the CVS-Performance service type by default. However, the use of extended groups disables support for users that exist on the NFS client locally. If you need support for local users instead of extended groups, select this checkbox.
    Backup Users Domain users or group to receive elevated file/folder privileges. Can be used for data migration, NetApp Global File Cache.
    Security Privilege Users Domain user accounts that require elevated privileges to manage security logs for the Active Directory associated with Cloud Volumes Service. This list is specifically needed for the installation of a SQL server where binaries and system databases are stored on an SMB share. This option isn't required if you use an administrator user during installation.
  4. Click Save

Creating an SMB volume

Before you create an SMB volume, you must complete the steps in Enabling billing and APIs and create a Private Service Connection. Otherwise, the volume creation process fails.

  1. In the Cloud Console, go to the Volumes page.

    Go to the Volumes page

  2. Click Create.

  3. On the Create File System page, specify the name and options for your volume as indicated in the following table.

    Required fields are marked with an asterisk (*).

    Field Description CVS CVS-Performance
    Name* Name displayed for the volume.
    Billing Label

    Adds a label to the volume for billing reports and queries.

    Service Type*

    CVS or CVS-Performance service type.

    Each service type offers different service levels, and the service levels are offered in different regions. For details, see Service types.

    Region* Google Cloud region for your volume. For more information, see Best practices for Compute Engine region selection.
    Zone* Google Cloud zone for your volume.
    Volume Path* The system automatically generates a recommended volume path. The name must be unique across all of your cloud volumes.
    Service Level*
    • For the CVS service type, select the level of availability for the volume.
    • For the CVS-Performance service type, select the level of performance for the volume.
    Snapshot Allows you to create a volume based on a snapshot. For details, see Creating and managing volume snapshots.
    Allocated Capacity* Size of the cloud volume. The minimum size is 1,024 GiB (1 TiB).
    Protocol Type* Select SMB.
    Make snapshot directory (.snapshot) visible Makes your snapshot directory visible to the client as a ~snapshot hidden directory in the root of the mapped share. Enables Previous Versions access in Windows Explorer.
    Enable SMB encryption Enables SMB encryption for in-flight SMB3 data. SMB clients using data without encryption can't access a volume that has this option enabled.
    Enable CA share support for SQL Server, FSLogix Enables continuously available (CA) share support for SQL Server and FSLogix. This option is only supported for these workloads.
    Hide SMB Share Enhances security by preventing your volume and data from being viewable by untrusted sources. Makes the SMB share non-browsable.
    Enable access-based enumeration (ABE) Provides additional security so that users see only the files and folders to which they have access permissions.
  4. In the Network Details section, specify the following:

    • Shared VPC Configuration: The VPC network can be part of a host project in a shared VPC network, or it can be a standalone project. If you have a host project and shared VPC topology, select Shared VPC configuration. For standalone projects, leave the box cleared.

    • VPC Network Name: Select the network from which the volume will be accessible.

    • If this is the first time that you're setting up the VPC peering for Cloud Volumes Service, you receive the following prompt indicating that you need to set up network peering:

      Network peering warning window. The service networking peering for this VPC is not set up.

      Click the View commands how to set up network peering button. To configure VPC peering, follow the steps in the dialog that appears.

    • Optionally, you can specify a custom CIDR range by selecting Use Custom Address Range. This allows you to, for example, specify a CIDR range that doesn't overlap with your on-premises CIDR blocks. To allow for future flexibility, you can increase the CIDR block size (prefix range). The CIDR range can't be changed or edited later.

    For more information, see Setting up private services access.

  5. To manage the snapshot policy for the volume, expand Show snapshot policy, select Allow automatic snapshots, specify the snapshot schedules, and specify the number of snapshots to keep. For details, see Managing snapshot policies.

    Snapshot policy page

  6. Click Save to create the volume.

    The new volume appears in the Volumes list.

Mapping SMB shares from Compute Engine instances

  1. In the Cloud Console, go to the Volumes page.

    Go to the Volumes page

  2. Click the SMB volume for which you want to map an SMB share.

  3. Scroll to the right, click More , and then click Mount Instructions.

  4. Follow the instructions in the Mount Instructions for SMB window that appears.

    Create SMB instructions

What's next