Private services access

Last reviewed 2023-06-08 UTC

Cloud Volumes Service uses private services access to create a high-throughput and low-latency data path connection. You need to perform the following steps once for each project. However, if you are using a shared VPC, you only need to perform these steps on the host project. You can only peer VPC networks that use RFC 1918 address ranges as internal addresses.

You need to perform the following steps based on the service type—CVS or CVS-Performance—that you deploy for your project. For example, if you deploy a volume that uses the CVS service type, use the commands for the CVS service type to perform the steps. If, later, you deploy a volume that uses the CVS-Performance service type, you need to perform the steps again and use commands for the CVS-Performance service type.

The steps and examples in this section assume that you are deploying a volume of each service type and that you use a separate VPC network for each service type.

When you create a volume with a VPC network that hasn't yet been peered, a dialog appears with a message stating, View commands how to set up network peering, indicating that you need to set up network peering. The example commands that are shown when you click the button in that dialog give the minimum CIDR block size, but you might need to increase it to allow for growth in usage.

If you plan to peer your consumer project with other producer organizations in addition to NetApp, you must use a different IP address allocation for each of those producers. This precaution is necessary because Cloud Volumes Service uses dynamic routes with your consumer project, but Google Cloud does not check whether your dynamic route allocations overlap. Because these routes are not visible to the other participating producers, multiple producers could inadvertently use an allocation from the same range, causing IP collisions and routing issues.

Set up private service access

  1. Create an allocated IP address range within your VPC network for the Cloud Volumes Service mount points.

    You can't modify the IP address range after you establish it and allocate it to a volume, so we recommend allocating a range that is large enough to accommodate future usage. However, if the IP address range allocation is too small, you can add additional CIDR ranges.

    • For the CVS-Performance service type, the minimum CIDR range you can use is /24, which allows you to provision up to 16 region-service project combinations when each range is /28. If you require more regions, service projects, or both, choose a CIDR that can accommodate more /28 subnets.

    • The CVS service type (Standard-SW) needs a minimum CIDR block of /25 (128 addresses). This supports up to 100 storage pools with up to 50 volumes each per region in your project. A larger block can support more region and project pairs. Cross-region access isn't supported.

    • Shared VPC is supported for the CVS and CVS-Performance service types. For shared VPC networks, peering is done from the host project only. Each service project in an additional region uses an additional CIDR block (/28 for the CVS-Performance service type and /25 for the CVS service type) from the VPC range.

    The following example assumes deployment of volumes of the CVS-Performance service type:

    CIDR range Number of region and project pairs supported Example region to project pairs
    /28 1 Region1:Project1
    /27 2 Region1:Project1
    Region2:Project1
    /26 4 Region1:Project1
    Region2:Project1
    Region3:Project1
    Region1:Project2
    /25 8 Region1:Project1
    Region2:Project1
    Region1:Project2
    Region2:Project2
    Region1:Project3
    Region2:Project3
    Region1:Project4
    Region2:Project4
    /24 16 Region1:Project1
    Region1:Project2
    Region1:Project3
    Region1:Project4
    Region2:Project1
    Region2:Project2
    Region2:Project3
    Region2:Project4
    Region3:Project1
    Region3:Project2
    Region3:Project3
    Region3:Project4
    Region4:Project1
    Region4:Project2
    Region4:Project3
    Region4:Project4

    The following example assumes that a VPC network already exists in the project:

    gcloud \
        --project=my-cvs-prj compute addresses create netapp-addresses-production-vpc1 \
        --global \
        --purpose=VPC_PEERING \
        --prefix-length=20 \
        --network=production-vpc1 \
        --no-user-output-enabled
    

    When you use this command, Google Cloud picks an RFC 1918 CIDR base for you. If you need to control the CIDR base, use the following syntax:

    gcloud \
      --project=my-cvs-prj compute addresses create netapp-addresses-production-vpc1 \
      --global \
      --addresses 192.168.0.0 \
      --purpose=VPC_PEERING \
      --prefix-length=20 \
      --network=production-vpc1 \
      --no-user-output-enabled
    

    If you specify non-RFC 1918 addresses, follow the instructions in Use non-RFC 1918 IP addresses.

  2. Create a private service connection to the Cloud Volumes Service endpoint.

    CVS service type example:

    gcloud \
        --project=my-cvs-prj services vpc-peerings connect \
        --service=cloudvolumesgcp-sds-api-network.netapp.com \
        --ranges=netapp-addresses-production-vpc1 \
        --network=production-vpc1
    

    CVS-Performance service type example:

    gcloud \
        --project=my-cvs-prj services vpc-peerings connect \
        --service=cloudvolumesgcp-api-network.netapp.com \
        --ranges=netapp-addresses-production-vpc1 \
        --network=production-vpc1
    
  3. Enable custom route propagation:

    CVS service type example:

    gcloud \
        --project=my-cvs-prj compute networks peerings update netapp-sds-nw-customer-peer \
        --network=production-vpc1 \
        --import-custom-routes \
        --export-custom-routes
    

    CVS-Performance service type example:

    gcloud \
        --project=my-cvs-prj compute networks peerings update netapp-cv-nw-customer-peer \
        --network=production-vpc1 \
        --import-custom-routes \
        --export-custom-routes
    
  4. Check that the connection is established:

    gcloud \
        --project=my-cvs-prj services vpc-peerings list \
        --network=production-vpc1
    

Add CIDR ranges

If the initial CIDR range is too small and you run out of /28 (CVS-Performance) or /25 (CVS) blocks, you can add CIDR ranges to the allocation.

With the additional address blocks, you can use Cloud Volumes Service in additional regions or service projects.

Before you add a CIDR range, review the steps in Setting up private service access. Make sure that the additional CIDR range is large enough to accommodate future increased usage.

  1. Create an additional IP allocation range.

    • The following example assumes that a VPC network already exists in the project:

      gcloud \
        --project=my-cvs-prj compute addresses create netapp-addresses-production-vpc1-2 \
        --global \
        --purpose=VPC_PEERING \
        --prefix-length=20 \
        --network=production-vpc1 \
        --no-user-output-enabled
      

    If you need to control which CIDR base is used, add the --addresses CIDR_BASE parameter.

  2. Add the new IP address allocation to the existing peering connection:

    • CVS service type example:

      gcloud \
        --project=my-cvs-prj services vpc-peerings update \
        --service=cloudvolumesgcp-sds-api-network.netapp.com \
        --ranges=netapp-addresses-production-vpc1,netapp-addresses-production-vpc1-2 \
        --network=production-vpc1
      
    • CVS-Performance service type example:

      gcloud \
        --project=my-cvs-prj services vpc-peerings update \
        --service=cloudvolumesgcp-api-network.netapp.com \
        --ranges=netapp-addresses-production-vpc1,netapp-addresses-production-vpc1-2 \
        --network=production-vpc1
      

Use non-RFC 1918 IP addresses

You can bring non-RFC 1918 IP addresses (non-private addresses) into the NetApp network for the CVS-Performance service type. You can create a new subnet with a new VPC network or add a new subnet to an existing VPC network. You can use non-RFC 1918 IP addresses for clients of the CVS-Performance service type, but not for the storage IP addresses.

Create a new subnet with a new VPC network

  1. Create a new VPC network and a new subnet with the non-RFC 1918 IP address range.

  2. In Cloud Volumes Service, create a volume in the new VPC network. Select the newly created VPC network name in which the volume is accessible.

  3. To set up a peer network to create the volume, click the View commands how to set up network peering button, and run the given commands.

  4. Enable the peer on your platform to accept incoming and outgoing public routes:

    gcloud \
        --project=cloud-heroes compute networks peerings update netapp-cv-nw-customer-peer \
        --network=nonrfcdemovpc \
        --import-subnet-routes-with-public-ip \
        --export-subnet-routes-with-public-ip
    
  5. Set the export policy in the volume details with the VM instance's IP address range.

    You can then export the volume to the VM and run your workloads on the volume.

Add a new subnet in an existing VPC network

  1. Create a new subnet with the non-RFC 1918 IP address range in an existing VPC network.
  2. Create a support case with NetApp to enable the non-RFC 1918 IP address range.

Access Cloud Volumes from different regions or external networks

Your project can access a volume of the CVS or CVS-Performance service type from any zone within the region in which a volume is provisioned. Furthermore, if your VPC has enabled global dynamic routing, your project can access a CVS-Performance volume from any other Google Cloud regions.

If you want to access volumes of the CVS-Performance service type from an external network, like an on-premises network through a VPN or Cloud Interconnect, you need to configure a static route on the on-premises router to the CIDR range that you selected in step 1 when you set up private service access for Cloud Volumes Service. A volume of the CVS service type is only accessible from within its region.

What's next