Networking

This page details the networking and IP resource requirements for using Filestore.

Connectivity support

Filestore connects to your VPC network using either VPC Network Peering or private services access (Preview). The following chart shows which connection method supports which scenarios:

SCENARIO PEERING METHOD
Create an instance with a standalone VPC network. VPC Network Peering or private services access
Create an instance on a Shared VPC network from the host project. VPC Network Peering or private services access
Create an instance on a Shared VPC network from a service project. Private services access
Use centralized IP range management for multiple Google services. Private services access
Access an instance from on-premises networks using Cloud VPN or Cloud Interconnect. VPC Network Peering or private services access

Filestore supports the following connectivity scenarios:

  • Any Compute Engine VM or GKE cluster can access any Filestore instance that's on the same VPC network1. All internal IP addresses in the selected VPC network can connect to the Filestore instance unless access is restricted using IP-based access control.
  • You can connect Filestore instances to clients in remote networks using Cloud VPN or Cloud Interconnect, including clients from another project or your on-premises clients.
  • Filestore doesn't support transitive peering. Clients on a VPC network that's peered to the one that the Filestore instance is created on are not able to access the instance. For example, if network N1 and Filestore's internal network are both peered to network N2, clients on N2 can access the Filestore instance but clients on N1 cannot.

Firewall rules

You may need to create firewall rules in the following scenarios:

  • To enable NFS file locking, you may need to open up the ports used by the statd and nlockmgr daemons. For more information, see Configuring firewall rules.
  • In the Shared VPC scenario, NFS access is not restricted to the service project by default. You can set firewall rules or use IP-based access control to restrict access, but these solutions do not specifically enforce project boundaries.

Legacy network support

You can't use a legacy network with Filestore instances. If necessary, create a new VPC network to use by following the instructions at Creating a new VPC network with custom subnets.

IP resource requirements

Filestore has the following IP resource requirements:

  • Each Filestore instance must have an IP address range associated with it.
  • The IP address range must be from within the internal IP address ranges (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16). Basic tier instances require a block size of 29, and Enterprise and High Scale tier instances require a block size of 24. Example: 10.0.3.0/29, 172.31.0.0/24.
  • You can assign the IP address range when needed. The IP address range that you assign must not overlap with:
    • Existing subnets in the VPC network that the Filestore instance uses.
    • Existing subnets in a VPC network that's peered with the one that the Filestore instance uses. For details, see Overlapping subnets at time of peering.
    • IP address ranges assigned to any other existing Filestore instances in that network.
  • We recommend letting Filestore automatically pick an available IP range to use from within the internal IP address ranges.
  • Number of VPC Network Peerings or private services access connections required: 1 peering per VPC.

What's next


  1. Clients with an IP address from the 172.17.0.0/16 range can't connect to Basic tier Filestore instances. See Known issues