Setting up private services access

Cloud Volumes Service uses private services access to create a high-throughput and low-latency data-path connection. You need to perform the following steps once for each project. However, if you are using Shared VPC, you only need to perform these steps on the host project. You can only peer VPC networks that use RFC 1918 address ranges as internal addresses.

You need to perform the following steps based on the service type (CVS or CVS-Performance) that you deploy for your project. For example, if you deploy a volume that uses the CVS service type, use the commands for the CVS service type to perform the steps. If, later, you deploy a volume that uses the CVS-Performance service type, you need to perform the steps again and use commands for the CVS-Performance service type.

The steps and examples in this section assume that you are deploying a volume of each service type and that you will use a separate VPC network for each service type.

When you create a volume with a VPC network that hasn't yet been peered, a dialog appears with the following text, indicating that you need to set up network peering: View commands how to set up network peering. The example commands that are shown when you click the button in that dialog give the minimum CIDR block size, but you might need to increase it to allow for growth in usage.

If you plan to peer your consumer project with other producer organizations in addition to NetApp, you must use a different IP address allocation for each of those producers. This precaution is necessary because Cloud Volumes Service uses dynamic routes with your consumer project, but Google Cloud does not check whether your dynamic route allocations overlap. Because these routes are not visible to the other participating producers, multiple producers could inadvertently use an allocation from the same range, causing IP collisions and routing issues.

If you plan to use CVS or CVS-Performance volumes from on-premises networks through a VPN or Cloud Interconnect, choose a CIDR range that doesn't overlap with the CIDR ranges used in your on-premises network. Failing to take this precaution can result in IP address collisions and routing issues.

  1. Create an allocated IP address range within your VPC network for the Cloud Volumes Service mount points.

    You can't modify the IP address range after you establish it and allocate it to a volume, so we recommend allocating a range that is large enough to accommodate future usage.

    • The CVS-Performance service type needs a minimum CIDR block of /28 (16 addresses). Some addresses in the block are used for CVS internal needs, leaving 11 addresses for your volumes from a /28 block. Larger blocks support additional region and project pairs. For example, a /24 block supports up to 16 combinations of region and consumer service project pairs.

    • The CVS service type (Standard-SW) needs a minimum CIDR block of /25 (128 addresses). This supports up to the maximum 100 volumes for each project (for each zone or region, depending on the service level). A larger block can support more region and project pairs. Cross-region access isn't supported.

    • Shared VPC is supported for both service types. Each service project in an additional region uses a CIDR block of /28 (CVS-Performance service type) or /25 (CVS service type) from the VPC range.

    CIDR range Number of region and project pairs supported Example region to project pairs
    /28 1 Region1:Project1
    /27 2 Region1:Project1
    Region2:Project1
    /26 4 Region1:Project1
    Region2:Project1
    Region3:Project1
    Region1:Project2
    /25 8 Region1:Project1
    Region2:Project1
    Region1:Project2
    Region2:Project2
    Region1:Project3
    Region2:Project3
    Region1:Project4
    Region2:Project4
    /24 16 Region1:Project1
    Region1:Project2
    Region1:Project3
    Region1:Project4
    Region2:Project1
    Region2:Project2
    Region2:Project3
    Region2:Project4
    Region3:Project1
    Region3:Project2
    Region3:Project3
    Region3:Project4
    Region4:Project1
    Region4:Project2
    Region4:Project3
    Region4:Project4

    The following example for the CVS service type assumes that a VPC network already exists in the project:

    gcloud \
        --project=my-cvs-prj compute addresses create netapp-addresses-production-vpc1 \
        --global \
        --purpose=VPC_PEERING \
        --prefix-length=25 \
        --network=production-vpc1 \
        --no-user-output-enabled
    

    The following example for the CVS-Performance service type assumes that a VPC network already exists in the project:

    gcloud \
        --project=my-cvs-prj compute addresses create netapp-addresses-production-vpc2 \
        --global \
        --purpose=VPC_PEERING \
        --prefix-length=24 \
        --network=production-vpc2 \
        --no-user-output-enabled
    
  2. Create a private service connection to the Cloud Volumes Service endpoint.

    CVS service type example:

    gcloud \
        --project=my-cvs-prj services vpc-peerings connect \
        --service=cloudvolumesgcp-sds-api-network.netapp.com \
        --ranges=netapp-addresses-production-vpc1 \
        --network=production-vpc1
    

    CVS-Performance service type example:

    gcloud \
        --project=my-cvs-prj services vpc-peerings connect \
        --service=cloudvolumesgcp-api-network.netapp.com \
        --ranges=netapp-addresses-production-vpc2 \
        --network=production-vpc2
    
  3. Enable custom route propagation:

    CVS service type example:

    gcloud \
        --project=my-cvs-prj compute networks peerings update netapp-sds-nw-customer-peer \
        --network=production-vpc1 \
        --import-custom-routes \
        --export-custom-routes
    

    CVS-Performance service type example:

    gcloud \
        --project=my-cvs-prj compute networks peerings update netapp-cv-nw-customer-peer \
        --network=production-vpc2 \
        --import-custom-routes \
        --export-custom-routes
    
  4. Check that the connection is established:

    CVS service type example:

    gcloud \
        --project=my-cvs-prj services vpc-peerings list \
        --network=production-vpc1
    

    CVS-Performance service type example:

    gcloud \
        --project=my-cvs-prj services vpc-peerings list \
        --network=production-vpc2
    

Using non-RFC 1918 IP addresses

You can bring non-RFC 1918 IP addresses (non-private addresses) into the NetApp network for the CVS-Performance service type. You can create a new subnet with a new VPC network or add a new subnet to an existing VPC network.

Create a new subnet with a new VPC network

  1. Create a new VPC network and a new subnet with the non-RFC 1918 IP address range.
  2. In Cloud Volumes Service, create a volume in the new VPC network. Select the newly created VPC network name in which the volume will be accessible.
  3. To set up a peer network to create the volume, click the View commands how to set up network peering button, and run the given commands.
  4. Enable the peer on your platform to accept incoming and outgoing public routes:

    gcloud \
        --project=cloud-heroes compute networks peerings update netapp-cv-nw-customer-peer \
        --network=nonrfcdemovpc \
        --import-subnet-routes-with-public-ip \
        --export-subnet-routes-with-public-ip
    
  5. Set the export policy in the volume details with the VM instance's IP address range.

    You can then export the volume to the VM and run your workloads on the volume.

Add a new subnet in an existing VPC network

  1. Create a new subnet with the non-RFC 1918 IP address range in an existing VPC network.
  2. Create a support case with NetApp to enable the non-RFC 1918 IP address range.

Accessing Cloud Volumes from different regions or external networks

Your project can access a volume of the CVS or CVS-Performance service type from any zone within the region in which a volume is provisioned. Furthermore, if your VPC has enabled global dynamic routing, your project can access a CVS-Performance volume from any other Google Cloud regions.

The routes to CVS or CVS-Performance volumes will only be announced within the VPC. If you want to access the service from an external network, like an on-premises network via VPN or Cloud Interconnect, you need to configure a static route on the on-premises router to the CIDR range that you selected in Step 1 above.

What's next