Security considerations

This page provides an overview of security considerations for NFS or SMB access of Cloud Volumes Service.

For more information, see Security overview - NetApp Cloud Volumes Service in Google Cloud. This technical report from NetApp covers the security architecture of Cloud Volumes Service and the security basics of NFS and SMB operations.

Firewall rules

Google Cloud has strict inbound firewall rules that are categorized as default and implied. Every VPC network has two implied firewall rules. Understanding the implied rules help you manage access to the cloud volumes.

  • The implied allow egress rule: The rule's action is to allow, the destination IP range is 0.0.0.0/0, and the priority is the lowest possible (65535). It lets any instance send traffic to any destination. You can restrict outbound access with a firewall rule that has a higher priority. Internet access is permitted if no other firewall rules deny the outbound traffic and if the instance has an external IP address or uses a NAT instance. See Internet access requirements for more details.
  • The implied deny ingress rule: The rule's action is to deny, the source is 0.0.0.0/0, and the priority is the lowest possible (65535). It protects all instances by blocking incoming traffic to them. You can permit incoming access with a firewall rule that has a higher priority. Note that the default network includes some additional rules that override this rule to permit certain types of incoming traffic.

NFS access

NFS uses various ports to communicate between the initiator and a target. To ensure proper communication and successful volume mount, you must enable these ports on the VPC firewalls. If you have a local firewall enabled, you must also enable these ports on the compute instance. The required ports are as follows:

  • 111 TCP/UDP portmapper
  • 2049 TCP/UDP nfsd
  • 635 TCP/UDP mountd
  • 4045 TCP/UDP nlockmgr
  • 4046 TCP/UDP status

Volumes of the CVS service type don't support NFS traffic over UDP.

SMB access

SMB uses various ports to communicate between the initiator and a target. To ensure proper communication and successful volume mapping, you must enable these ports on the VPC firewalls. If you have a local firewall enabled, you must also enable these ports on the compute instance. The required ports are as follows:

  • 135 TCP msrpc
  • 445 TCP SMB2/3
  • 40001 TCP SMB witness

Port 135/TCP and 40001/TCP are only used for Witness protocol communication for SMB 3.x continuously available (CA) shares. These ports are not required for non-CA shares.

Port 139/TCP is exposed by the service, but not used.

Communication between Cloud Volumes Service and Active Directory

Google Cloud has strict inbound firewall rules that are categorized as default and implied. Every VPC network has two implied firewall rules. Understanding the implied rules help you manage access to the cloud volumes.

  • The implied allow egress rule: The rule's action is to allow, the destination IP range is 0.0.0.0/0, and the priority is the lowest possible (65535). It lets any instance send traffic to any destination. You can restrict outbound access with a firewall rule that has a higher priority. Internet access is permitted if no other firewall rules deny the outbound traffic and if the instance has an external IP address or uses a NAT instance. See Internet access requirements for more details.
  • The implied deny ingress rule: The rule's action is to deny, the source is 0.0.0.0/0, and the priority is the lowest possible (65535). It protects all instances by blocking incoming traffic to them. You can permit incoming access with a firewall rule that has a higher priority. Note that the default network includes some additional rules that override this rule to permit certain types of incoming traffic.

You must create a set of inbound rules to enable Cloud Volumes Service to initiate communication with the AD domain controllers. You must add these rules to the security groups that are attached to each AD instance to enable inbound communication from the storage subnet CIDR or the specific IP address. You must open these required ports with firewall rules to enable the CIDR range to access Cloud Volumes Service.

The required ports are as follows:

  • ICMPV4
  • DNS 53 TCP
  • DNS 53 UDP
  • LDAP 389 TCP
  • LDAP 389 UDP
  • LDAP (GC) 3268 TCP
  • SAM/LSA 445 TCP
  • SAM/LSA 445 UDP
  • Secure LDAP 636 TCP
  • Secure LDAP 3269 TCP
  • W32Time 123 UDP
  • AD Web Svc 9389 TCP
  • Kerberos 464 TCP
  • Kerberos 464 UDP
  • Kerberos 88 TCP
  • Kerberos 88 UDP

Permissions for Cloud Volumes Service

Cloud Volumes Service supports a granular set of permissions. These granular permissions are combined into two predefined roles, and these permissions can be added to Google Cloud IAM custom roles.

The granular permissions are the following:

  • cloudvolumesgcp-api.netapp.com/activeDirectories.create
  • cloudvolumesgcp-api.netapp.com/activeDirectories.delete
  • cloudvolumesgcp-api.netapp.com/activeDirectories.get
  • cloudvolumesgcp-api.netapp.com/activeDirectories.list
  • cloudvolumesgcp-api.netapp.com/activeDirectories.update
  • cloudvolumesgcp-api.netapp.com/ipRanges.list
  • cloudvolumesgcp-api.netapp.com/jobs.get
  • cloudvolumesgcp-api.netapp.com/jobs.list
  • cloudvolumesgcp-api.netapp.com/regions.list
  • cloudvolumesgcp-api.netapp.com/serviceLevels.list
  • cloudvolumesgcp-api.netapp.com/snapshots.create
  • cloudvolumesgcp-api.netapp.com/snapshots.delete
  • cloudvolumesgcp-api.netapp.com/snapshots.get
  • cloudvolumesgcp-api.netapp.com/snapshots.list
  • cloudvolumesgcp-api.netapp.com/snapshots.update
  • cloudvolumesgcp-api.netapp.com/volumereplication.authorize
  • cloudvolumesgcp-api.netapp.com/volumereplication.break
  • cloudvolumesgcp-api.netapp.com/volumereplication.create
  • cloudvolumesgcp-api.netapp.com/volumereplication.delete
  • cloudvolumesgcp-api.netapp.com/volumereplication.get
  • cloudvolumesgcp-api.netapp.com/volumereplication.list
  • cloudvolumesgcp-api.netapp.com/volumereplication.release
  • cloudvolumesgcp-api.netapp.com/volumereplication.resync
  • cloudvolumesgcp-api.netapp.com/volumereplication.update
  • cloudvolumesgcp-api.netapp.com/volumes.create
  • cloudvolumesgcp-api.netapp.com/volumes.delete
  • cloudvolumesgcp-api.netapp.com/volumes.get
  • cloudvolumesgcp-api.netapp.com/volumes.list
  • cloudvolumesgcp-api.netapp.com/volumes.update

The two predefined roles are netappcloudvolumes.admin and netappcloudvolumes.viewer. You can assign these roles to specific users or service accounts.

The netappcloudvolumes.admin role contains the full permission set listed above, while the netappcloudvolumes.viewer role contains the list and get permissions on specific objects.

Add Cloud Volumes Service roles to a user

To grant a user the netappcloudvolumes.admin role, use the following command, substituting the appropriate user name and project ID for myuser@myorg.com and my-project.

gcloud projects add-iam-policy-binding my-project \
    --member='user:myuser@myorg.com' \
    --role='roles/netappcloudvolumes.admin'

To grant a user the netappcloudvolumes.viewer role, use the following command, substituting the appropriate user name and project ID for myuser@myorg.com and my-project.

gcloud projects add-iam-policy-binding my-project \
    --member='user:myuser@myorg.com' \
    --role='roles/netappcloudvolumes.viewer'

Add Cloud Volumes Service permissions to a Google Cloud IAM custom role

To grant specific permissions to a user, you need to configure a Google Cloud IAM custom role, assign specific CVS permissions to the role, and then add the custom role to one or more users.

  1. If a custom IAM role is already configured, you can skip this step.

    Configure a Google Cloud IAM custom role using the Cloud console or the Cloud Shell commands.

  2. Assign specific CVS permissions to the custom role:

    1. While viewing the role details, select Edit role from the top menu.
    2. On the Edit role page, click Add permissions.
    3. In the filter, enter netapp to see the list of permissions specific to Cloud Volumes Service.
    4. Select the checkbox for permissions that you want to add to the role.
    5. Click Add.
  3. Add the IAM custom role to a user:

    1. Select IAM from the left navigation menu and select the user you want to update.
    2. Click the Edit member button.
    3. On the Edit permissions page, add the custom role created in the previous step.
    4. Click Save.