Configuring Firewall Rules

In some circumstances, you might have to configure firewall rules to enable NFS file locking.

If you are using the default VPC network that comes with your Google Cloud Platform (GCP) project, and you haven't changed or added any firewall rules for that network, then you don't need to create any firewall rules.

If both of the following conditions are true, then you need to create a firewall ingress rule to enable traffic from Cloud Filestore instances to your clients:

  • You are using NFS file locking in the applications accessing the Cloud Filestore instance.
  • The VPC network you are using has firewall rules that block TCP port 111 or the ports used by the statd or nlockmgr daemons. To determine what ports the statd and nlockmgr daemons use on the client, check current port settings.

    If the statd and nlockmgr ports aren't set, and you think you might need to configure firewall rules at any point, we strongly recommend setting those ports consistently on all client VM instances. For more information, see Setting NFS ports.

If the VPC network you are using has a firewall egress rule that blocks traffic to TCP ports 111, 2046, 2049, 2050, or 4045, and targets the IP address ranges used by your Cloud Filestore instances, then you also need to create a firewall egress rule to enable traffic from your clients to your Cloud Filestore instances.

You can get the reserved IP address range for any Cloud Filestore instance from the Cloud Filestore instances page or by running gcloud beta filestore instances describe. For more information, see Get information about a specific instance.

For more information about VPC network firewall rules, see Using Firewall Rules.

Creating a firewall ingress rule

Use the following procedure to create a firewall rule to enable traffic from Cloud Filestore instances.

  1. Check current port settings to determine what ports the statd and nlockmgr daemons use on the client. Note them down, you will use them in step 13.
  2. Go to the Firewall rules page in the Google Cloud Platform Console.
    Go to the Firewall rules page
  3. Click Create firewall rule.
  4. Enter a Name for the firewall rule. This name must be unique for the project.
  5. Specify the Network in which you want to implement the firewall rule.
  6. Specify the Priority of the rule.

    If this rule will not conflict with any other rules, you can leave the default of 1000. If there is another ingress rule that targets the same IP address range, protocols, and ports, and also has a value of Deny for the Action on match field, then set the priority of the new ingress rule to be a lower value than that of the existing ingress rule, so that GCP will apply it.

  7. Choose Ingress for Direction of traffic.

  8. Choose Allow for Action on match.
  9. For Targets, take one of the following actions:

    • If you want to allow traffic to all clients in the network from Cloud Filestore instances, choose All instances in the network .
    • If you want to allow traffic to specific clients from Cloud Filestore instances, choose Specified target tags. Type the instance names of the clients in Target tags.
  10. Leave the default value of IP ranges for Source filter.

  11. For Source IP ranges, type the IP address ranges of the Cloud Filestore instances you want to allow access from. You can enter the internal IP address ranges that you are using with your Cloud Filestore instances to enable all Cloud Filestore traffic, or you can enter the IP addresses of specific Cloud Filestore instances. You must use CIDR notation.
  12. Leave the default value of None for Second source filter.
  13. For Protocols and ports, choose Specified protocols and ports, and type tcp:111,[STATD_PORT],[NLOCKMGR_PORT] in the associated field, where:

    • [STATD_PORT] is the port used by the statd daemon on the client.
    • [NLOCKMGR_PORT] is the port used by the nlockmgr daemon on the client.

    For example, tcp:111,2046,4045.

  14. Choose Create.

Creating a firewall egress rule

Use the following procedure to create a firewall rule to enable traffic to Cloud Filestore instances.

  1. Go to the Firewall rules page in the Google Cloud Platform Console.
    Go to the Firewall rules page
  2. Click Create firewall rule.
  3. Enter a Name for the firewall rule. This name must be unique for the project.
  4. Specify the Network in which you want to implement the firewall rule.
  5. Specify the Priority of the rule.

    If this rule will not conflict with any other rules, you can leave the default of 1000. If there is another egress rule that targets the same IP address range, protocols, and ports, and also has a value of Deny for the Action on match field, then set the priority of the new egress rule to be a lower value than that of the existing egress rule, so that GCP will apply it.

  6. Choose Egress for Direction of traffic.

  7. Choose Allow for Action on match.
  8. For Targets, take one of the following actions:

    • If you want to allow traffic from all clients in the network to Cloud Filestore instances, choose All instances in the network .
    • If you want to allow traffic from specific clients to Cloud Filestore instances, choose Specified target tags. Type the instance names of the clients in Target tags.
  9. For Destination IP ranges, type the IP address ranges of the Cloud Filestore instances you want to allow access to. You can enter the internal IP address ranges that you are using with your Cloud Filestore instances to enable traffic to all Cloud Filestore instances, or you can enter the IP addresses of specific Cloud Filestore instances. You must use CIDR notation.

  10. For Protocols and ports, choose Specified protocols and ports, and type tcp:111,2046,2049,2050,4045 in the associated field.
  11. Choose Create.
Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Filestore Documentation