This page discusses network configuration and IP resource requirements for Filestore.
Connectivity support
Filestore connects to your VPC network using either VPC Network Peering or private services access. The following chart shows which connection method supports which scenarios:
SCENARIO | VPC Network Peering | Private services access |
---|---|---|
Create an instance with a standalone VPC network. | ✓ | ✓ |
Create an instance on a Shared VPC network from the host project. | ✓ | ✓ |
Create an instance on a Shared VPC network from a service project. | ✓ | |
Use centralized IP range management for multiple Google services. | ✓ | |
Access an instance from on-premises networks using Cloud VPN or Cloud Interconnect. | ✓ | ✓ |
Filestore supports the following connectivity scenarios:
- Most any Compute Engine VM or GKE cluster can access any
Filestore instance that's on the same VPC
network. All internal IP addresses in the selected VPC
network can connect to the Filestore instance unless access is
restricted using IP-based access control.
- Clients with an IP address in the
172.17.0.0/16
range can't connect to Filestore instances. For more information, see Known issues.
- Clients with an IP address in the
- You can connect Filestore instances to clients in remote networks using Cloud VPN or Cloud Interconnect, including clients from another project or your on-premises clients.
- You can connect non-RFC 1918 clients to Filestore. In this case, you must explicitly grant them access to the Filestore instance using IP-based access control.
Filestore doesn't support transitive peering. For example, if VPC network N1 is peered to Filestore's internal network, and another VPC network, N2, is peered to N1, N2 won't have connectivity to the Filestore instance. Only clients on N1 can access the Filestore instance.
Firewall rules
You may need to create firewall rules in the following scenarios:
- To enable NFS file locking, you may need to open up the ports used by the
statd
andnlockmgr
daemons. For more information, see Configuring firewall rules. - In the Shared VPC scenario, NFS access is not restricted to the service project by default. You can set firewall rules or use IP-based access control to restrict access, but these solutions don't specifically enforce project boundaries.
Legacy network support
You can't use a legacy network with Filestore instances. If necessary, create a new VPC network to use by following the instructions at Creating a new VPC network with custom subnets.
IP resource requirements
Each Filestore instance must have an IP address range associated with it. Both RFC 1918 and non-RFC 1918 IP address ranges (GA) are supported.
Users are encouraged to let Filestore automatically determine a free IP address range and assign it to the instance. If selecting your own range, see Configuring a reserved IP address range for specific Filestore requirements.
What's next
- Acquire the Identity and Access Management roles and permissions needed to use Filestore.
- Try one of the Filestore quickstarts:
- Using the Google Cloud console
- Using the Google Cloud CLI
- Learn more about Virtual Private Cloud (VPC) networks and subnets.
- Troubleshoot common Filestore networking issues.
- Create a Filestore instance on a Shared VPC network in service projects.