Creating instances

This page shows you how to create a Filestore instance by using either the Cloud Console or the gcloud tool.

Instructions for creating an instance

Cloud Console

You can create a Filestore instance using the Cloud Console by performing the following steps. Enterprise and High Scale SSD quota starts at 0 and you must first make and be approved for a quota increase request before you can create an Enterprise or High Scale SSD instance.

  1. In the Cloud Console, go to the Filestore instances page.

    Go to the Filestore instances page

  2. Click Create Instance

  3. Enter all required fields and optional fields as needed based on the instructions in the following sections of this page.

  4. Click Create.

gcloud

Before you begin

To use the gcloud tool, you must either install the Cloud SDK or use the Cloud Shell that's built into the Cloud Console:

Go to the Cloud Console

gcloud command for creating a Filestore instance

You can create a Filestore instance by running the filestore instances create command. If you want to create an Enterprise or High Scale SSD instance, you must run gcloud beta filestore instances create. Also, Enterprise and High Scale SSD quota starts at 0. You must make a quota increase request and the request must be approved before you can create an Enterprise or High Scale tier instance.

gcloud [beta] filestore instances create instance-id \
    [--project=project-id] \
    [--location=location] \
    --tier=tier \
    --file-share=name="file-share-name",capacity=file-share-size \
    --network=name="vpc-network",[connect-mode=connect-mode],[reserved-ip-range="reserved-ip-address"]
    [--labels=key=value,[key=value,…]]
    [--kms-key=kms-key]

Replace the following:

  • instance-id with the instance ID of the Filestore instance that you want to create. See Naming your instance.
  • project-id with the project ID of the Cloud project that contains the Filestore instance. You can skip this flag if the Filestore instance is in the gcloud default project. You can set the default project by running:

     gcloud config set project project-id
    
  • location with the location where you want the Filestore instance to reside. See Selecting a location. You can skip this flag if the Filestore instance is in the gcloud default location. You can set the default location by running:

     gcloud config set filestore/zone zone
    

    or for Enterprise tier:

     gcloud config set filestore/region region
    
  • tier with the instance tier you want to use. See Selecting a service tier. If you are not specifying beta in the command, then you must use STANDARD for BASIC_HDD and PREMIUM for BASIC_SSD.

  • file-share-name with the name you specify for the NFS file share that is served from the instance. See Naming the file share.

  • file-share-size with the size you want for the file share. See Allocating capacity.

  • vpc-network with the name of the VPC network you want the instance to use. See Selecting the VPC network. If you want to specify a Shared VPC from a service project, you must specify the fully qualified network name, which is in the format projects/HOST_PROJECT_ID/global/networks/SHARED_VPC_NAME and you must specify connect-mode=PRIVATE_SERVICE_ACCESS. For example:

    --network=name=projects/host/global/networks/shared-vpc-1,connect-mode=PRIVATE_SERVICE_ACCESS
    

    You can't specify a legacy network for the vpc-network value. If necessary, create a new VPC network to use by following the instructions at Creating a new auto mode VPC network.

  • connect-mode (Preview) with DIRECT_PEERING or PRIVATE_SERVICE_ACCESS. If you are specifying a Shared VPC as the network, you must also specify PRIVATE_SERVICE_ACCESS as the connect mode.

  • reserved-ip-address with the IP address range for the Filestore instance. If you are specifying connect-mode=PRIVATE_SERVICE_ACCESS (Preview), and want to use a reserved IP address range, you must specify the name of an allocated address range instead of a CIDR range. See Configuring a reserved IP address. We recommend that you skip this flag to allow Filestore to automatically find a free IP address range and assign it to the instance.

  • key with a label that you want to add. Adding labels is not required when creating a Filestore instance. You can also add, delete, or update labels after you create an instance. For details, see Managing labels.

  • value with the value for a label.

  • kms-key is the fully qualified name of the Cloud KMS encryption key that you want to use when you want to manage your own data encryption. The format looks like:

    projects/KMS_PROJECT_ID/locations/REGION/keyRings/KEY_RING/cryptoKeys/KEY
    

Example

The following command creates an instance with the following characteristics:

  • ID is render1.
  • Project is myproject.
  • Zone is us-central1-c.
  • Tier is BASIC_HDD.
  • File share name is NFSvol.
  • File share size is 2 TiB.
  • VPC network is default.
  • Reserved IP address range is 10.0.7.0/29.
  • Grants read and write access with root squashed to the client with IP address 10.0.2.0.
gcloud beta filestore instances create render1 \
  --project=myproject \
  --zone=us-central1-c \
  --tier=BASIC_HDD \
  --network=name="default",reserved-ip-range="10.0.7.0/29"
  --flags-file=nfs-export-options.json

nfs-export-options.json file contents:

 {
"--file-share":
  {
    "capacity": "102400",
    "name": "my_vol",
    "nfs-export-options": [
      {
        "access-mode": "READ_WRITE",
        "ip-ranges": [
          "10.0.0.0/29",
          "10.2.0.0/29"
        ],
        "squash-mode": "ROOT_SQUASH",
        "anon_uid": 1003,
        "anon_gid": 1003
      },
      {
        "access-mode": "READ_ONLY",
        "ip-ranges": [
          "192.168.0.0/24"
        ],
        "squash-mode": "NO_ROOT_SQUASH"
      }
    ]
  }
}

Naming your instance

The name of your Filestore instance, or instance ID, is used to identify the instance and is used in gcloud commands. Instance IDs must comply with the <label> element of RFC 1035. Specifically, they must:

  • Be between 1-63 characters long.
  • Begin with a lowercase letter.
  • Consist of dashes, lowercase letters, or digits.
  • End with lowercase letters or digits.

The instance ID must be unique in the Cloud project and zone where it's located. Once an instance is created, its instance ID cannot be changed.

Selecting a service tier

The service tier of a Filestore instance is a combination of its Instance type and Storage type. Once an instance is created, its service tier cannot be changed.

Instance type

Select the instance type that best matches your needs. The following table highlights the differences between Basic, High Scale, and Enterprise instance types:

Feature Basic High Scale Enterprise
Capacity 1–63.9 TiB 10–100 TiB 1–10 TiB
Scalability 1-GiB increments or its multiples. 2.5-TiB increments/decrements or its multiples. 256-GiB increments/decrements or its multiples.
Performance
  • Basic HDD: Static.
  • Basic SSD: Performance step at 10 TiB.
Scales linearly with capacity. Scales linearly with capacity.

High Scale SSD and Enterprise tier instances take anywhere between 15 minutes and one hour to create, depending on the instance size.

Filestore quota is consumed when instance creation starts but you are not billed for the instance during this time.

For more information about service tiers, see the Service tiers page.

Storage type

For the Basic tiers, select HDD or SSD based on your performance needs. We recommend using SSD for performance-critical workloads. HDD is not available for High Scale or Enterprise instances. The following table highlights the performance difference between Basic HDD, Basic SSD, High Scale SSD, and Enterprise tier instances. The performance of High Scale SSD tier instances automatically scales with the capacity of the instance.

Specification Basic HDD Basic SSD High Scale SSD Enterprise
Read IOPS
  • 1–10 TiB capacity: 600
  •  10+ TiB capacity: 1,000
60,000 90,000–480,000 12,000–120,000
Write IOPS
  • 1–10 TiB capacity: 1,000
  • 10+ TiB capacity: 5,000
25,000 30,000–160,000 4,000–40,000
Read Throughput (MB/s)
  • 1–10 TiB capacity: 100
  • 10+ TiB capacity: 180
1,200 3,000–16,000 120–1,200
Write Throughput (MB/s)
  • 1–10 TiB capacity: 100
  • 10+ TiB capacity: 120
350 660–3,520 100–1,000

For more information about performance, see the Performance page.

Allocating capacity

Allocate capacity to the amount you need when you create the instance. As you approach your capacity limit, you can scale up the capacity as needed without affecting runtime. To learn about how you can monitor the capacity of your instances, see Monitoring instances.

In the gcloud tool, you can specify the capacity in whole numbers using either GiB or TiB. The default unit is GiB.

The following table shows the instance sizes available for each tier:

Tier Minimum size Maximum size Minimum step size
Basic HDD 1 TiB 63.9 TiB 1 GiB
Basic SSD 2.5 TiB 63.9 TiB 1 GiB
High Scale SSD 10 TiB 100 TiB 2.5 TiB
Enterprise 1 TiB 10 TiB 256 GiB

The size of instances can be any whole gibibyte value or its tebibyte equivalent that's between the minimum and maximum instance size and is divisible by its minimum step size. For example, valid High Scale SSD instances sizes include 10 TiB, 12.5 TiB, and 15 TiB.

Once created, the size of Basic tier instances only can be scaled up, while the size of Enterprise and High Scale tier instances can be scaled up or down. For more information, see Scaling capacity.

Total capacity quota

Every project is allocated separate capacity quotas for Basic, Enterprise, and High Scale instances for each region. Once you have reached your quota limit, you are not able to create more Filestore instances or increase the capacity of your existing instances. To see your available quota, go to the Quotas page in the Cloud Console:

Go to the Quotas page

For information on requesting more quota, see Requesting quota increases.

Naming the file share

A file share is the directory on a Filestore instance where all shared files are stored. It is also the thing that you mount or map to on the client VM.

The name of the file share must comply with the following:

  • Be between 1–32 characters long for High Scale SSD and Enterprise tiers, and 1–16 characters long for Basic HDD and Basic SSD tiers.
  • Begin with a letter.
  • Consist of uppercase or lowercase letters, numbers, and underscores.
  • End with a letter or number.

Selecting the VPC network

This network can be either a standard VPC network or a Shared VPC network. Clients must be on the same network as the Filestore instance to access the files stored on that instance. Once an instance is created, this network selection cannot be changed.

Shared VPC network

Before you can create an instance on a Shared VPC network in a service project, the network administrator must first enable private services access for the Shared VPC network. If you are creating the instance in the host project, private services access is not required.

Shared VPC networks are displayed in the Cloud Console in the format:

projects/HOST_PROJECT_ID/global/networks/SHARED_VPC_NAME

For detailed procedures, see Creating an instance on a Shared VPC network.

NFS file locking

If the applications you plan to use with this Filestore instance require NFS file locking, and you are choosing either:

  • A VPC network other than the default network.
  • The default VPC network with changed firewall rules.

then you may need to open up the ports used by Filestore in the network you choose. For more information, see Configuring firewall rules.

Selecting a location

Location refers to the Region and Zone where the Filestore instance is located. For the best performance and to avoid cross-regional networking charges, ensure that the Filestore instance is located in the same region as the Compute Engine VMs that need to access them.

For more information about regions and zones, see Geography and regions.

Configuring IP-based access control

By default, a Filestore instance grants root level read and write access to all clients, including Compute Engine VMs and GKE clusters, that share the same Cloud project and VPC network. If you want to restrict access, you can do so by creating rules that grant specific access levels to clients based on their IP address. Once the rules are added, all IP addresses and ranges that are not specified in a rule are revoked access.

The following table describes the privileges of each access level. These access levels are only used in the Cloud Console. In the gcloud tool and the API, you must specify the rule configurations directly.

Access level Rule configuration Description
admin
  • read-write
  • no-root-squash
The client can view and modify all files, folders, and metadata as a root user. It can also grant ownership to files or folders by setting its uid and gid, and in doing so, grant access to clients that do not have root level access to the file share.
admin-viewer
  • read-only
  • no-root-squash
The client can view all files, folders, and metadata as a root user but cannot modify them.
editor
  • read-write
  • root-squash
The client can view and modify the files, folders, and metadata according to its assigned uid and gid.
viewer
  • read-only
  • root-squash
The client can view the files, folders, and metadata according to its assigned uid and gid.

root-squash maps all requests from uid 0 and gid 0 to anon_uid and anon_gid, respectively. This configuration removes root level access from clients that attempt to access the file share as a root user.

When creating IP-based access rules, you must specify an internal IP address or range and the access level granted. When creating an instance, at least one rule must grant admin access. This rule can be removed once the instance is created. In the Cloud Console, you can create up to 10 different rules involving up to 64 different IP addresses or ranges.

In the gcloud tool, you can configure up to 64 different IP addresses or CIDR blocks per Filestore instance across a maximum of 10 different rules. A rule is defined as the combination of the access-mode, squash-mode, and anon_uid/anon_gid configurations. The anon_uid and anon_gid fields have default values of 65534 and can only be configured through the API and the gcloud tool.

Example

Here's an example of three different IP-based access rules:

  • access-mode=READ_ONLY, squash-mode=ROOT_SQUASH, anon_uid=10000.
  • access-mode=READ_WRITE, squash-mode=ROOT_SQUASH, anon_gid=150.
  • access-mode=READ_WRITE, squash-mode=NO_ROOT_SQUASH.

To create IP-based access control rules using the gcloud tool, use the --flag-file flag with the instances create or instances update commands and point it to a json configuration file. For example, if the json configuration file is name nfs-export-options.json, the flag would be:

--flag-file=nfs-export-options.json

Example json configuration file:

   {
  "--file-share":
    {
      "capacity": "102400",
      "name": "my_vol",
      "nfs-export-options": [
        {
          "access-mode": "READ_WRITE",
          "ip-ranges": [
            "10.0.0.0/29",
            "10.2.0.0/29"
          ],
          "squash-mode": "ROOT_SQUASH",
          "anon_uid": 1003,
          "anon_gid": 1003
        },
         {
          "access-mode": "READ_ONLY",
          "ip-ranges": [
            "192.168.0.0/24"
          ],
          "squash-mode": "NO_ROOT_SQUASH"
        }
      ]
    }
}
  • ip-ranges is the IP address or range to grant access to. You can specify multiple IP addresses or ranges by separating them with a comma. Example: 10.0.1.0,10.0.2.0,...
  • access-mode is the access level to grant to the clients whose IP address falls within ip-range. It can have the values of READ_WRITE or READ_ONLY. The default value is READ_WRITE.
  • squash-mode can have the values ROOT_SQUASH or NO_ROOT_SQUASH. ROOT_SQUASH removes root level access to the clients whose IP address falls within ip-range, while NO_ROOT_SQUASH enables root access. The default value is NO_ROOT_SQUASH.
  • anon_uid is the user ID value that you want to map to anon_uid. The default value is 65534.
  • anon_gid is the group ID value that you want to map to anon_gid. The default value is 65534.

Optional fields

Adding an instance description

An instance description lets you write descriptions, notes, or simple instructions for yourself and other users. For example, you can include information about:

  • The types of files stored in the instance.
  • Who has access to the instance.
  • Instructions for how to get access to the instance.
  • What the instance is used for.

Instance descriptions are limited to 2048 characters in length. There are no restrictions on the characters that are allowed. Once a Filestore instance is created, you can update its instance description anytime as needed. For information on updating instance descriptions, see Editing instances.

Adding labels

Labels are key-value pairs that you can use to group related instances and store metadata about an instance. You can add, delete, or modify labels anytime. For more information, see Managing labels.

Configuring a reserved IP address range

The IP address range must be a subset of one of the internal IP address ranges (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16). Basic tier instances require a block size of 29 and Enterprise and High Scale tier instances require a block size of 24. The IP address range you choose must not overlap with:

  • Existing subnets from the selected VPC network.
  • Reserved IP address ranges of existing Filestore instances in the selected VPC network.

You can see the IP address ranges for the subnets of your network by going to the VPC networks page in the Cloud Console:

Go to the VPC networks page

You can get the reserved IP address range for any Filestore instance on the Filestore instances page in the Cloud Console:

Go to the Filestore instances page

Examples of valid Filestore instance IP address ranges are 10.0.0.0/29 for a Basic tier instance and 172.16.1.0/24 for a High Scale tier instance.

If you want to use private services access and specify a reserved IP address range, you must specify the name of an allocated address range for the connection. If you don't specify a range name, Filestore automatically uses any of the allocated ranges associated with the private services access connection.

What's next