Network configuration and IP resource requirements

This page discusses network configuration and IP resource requirements for Filestore.

Connectivity support

Filestore connects to your VPC network using either VPC Network Peering or private services access. The following chart shows which connection method supports which scenarios:

SCENARIO VPC Network Peering Private services access
Create an instance with a standalone VPC network.
Create an instance on a Shared VPC network from the host project.
Create an instance on a Shared VPC network from a service project.
Use centralized IP range management for multiple Google services.
Access an instance from on-premises networks using Cloud VPN or Cloud Interconnect.

Filestore supports the following connectivity scenarios:

  • Most any Compute Engine VM or GKE cluster can access any Filestore instance that's on the same VPC network. All internal IP addresses in the selected VPC network can connect to the Filestore instance unless access is restricted using IP-based access control.
    • Clients with an IP address in the 172.17.0.0/16 range can't connect to Filestore instances. For more information, see Known issues.
  • You can connect Filestore instances to clients in remote networks using Cloud VPN or Cloud Interconnect, including clients from another project or your on-premises clients.
  • You can connect non-RFC 1918 clients to Filestore. In this case, you must explicitly grant them access to the Filestore instance using IP-based access control.

Filestore doesn't support transitive peering. For example, if VPC network N1 is peered to Filestore's internal network, and another VPC network, N2, is peered to N1, N2 won't have connectivity to the Filestore instance. Only clients on N1 can access the Filestore instance.

Firewall rules

You may need to create firewall rules in the following scenarios:

  • To enable NFS file locking, you may need to open up the ports used by the statd and nlockmgr daemons. For more information, see Configuring firewall rules.
  • In the Shared VPC scenario, NFS access is not restricted to the service project by default. You can set firewall rules or use IP-based access control to restrict access, but these solutions don't specifically enforce project boundaries.

Legacy network support

You can't use a legacy network with Filestore instances. If necessary, create a new VPC network to use by following the instructions at Creating a new VPC network with custom subnets.

IP resource requirements

Each Filestore instance must have an IP address range associated with it. Both RFC 1918 and non-RFC 1918 IP address ranges (GA) are supported.

Users are encouraged to let Filestore automatically determine a free IP address range and assign it to the instance. If selecting your own range, see Configuring a reserved IP address range for specific Filestore requirements.

What's next