This tutorial shows you how to mount a Filestore file share on a remote client, which can be a Compute Engine VM on a different VPC network or a non-Google Cloud VM or terminal.
You cannot access Filestore file shares from the Internet or directly through a VPN. Filestore file shares are designed to be mounted on only Compute Engine VMs. However, it is possible to mount a file share on a remote client by using a Compute Engine VM as a proxy.
To do this, you need to:
- Establish a VPN connection between the network of the remote client and the VPC network of the Filestore instance.
- Configure a Compute Engine VM on the same VPC network to forward
NFSpackets to the Filestore instance.
- Connect the remote client to the Compute Engine VM to mount the file share of the Filestore instance on the remote client.
This solution has several caveats:
- The proxy VM is a single-point-of-failure. If it goes down, the remote client can no longer access the file share.
- The proxy VM is a performance bottleneck because it forwards all
NFStraffic between the remote client and Filestore instance.
- File locking does not work.
- Configure a Compute Engine VM to forward
NFSpackets from a remote client to a Filestore instance.
- Mount a Filestore file share on a remote client.
This tutorial uses billable components of Google Cloud, including:
- Compute Engine VM instance
- Cloud VPN
- Filestore instance
Before you begin
Sign in to your Google Account.
If you don't already have one, sign up for a new account.
In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.
Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.
Create the proxy VM
The proxy VM is a Linux Compute Engine VM that forwards
between the remote client and the Filestore instance. It must be on
the same VPC network as the Filestore instance.
To learn how to create a Linux Compute Engine VM, see Quickstart Using a Linux VM.
Create a Filestore instance
Create a Filestore instance on the same VPC network as the proxy VM.
Configure forwarding on the proxy VM
- Go to the VM instances page
- Locate the proxy VM and click SSH to open a terminal on that VM.
iptablesby running the following commands:
sudo apt-get install iptables
sudo yum install iptables
sudo zypper -n install iptables
NFSpackets destined to the Filestore instance by running the following commands on the proxy VM:
sudo iptables -A PREROUTING -t nat -i network-interface -p tcp --dport 111 -j DNAT --to filestore-ip-address:111 sudo iptables -A PREROUTING -t nat -i network-interface -p tcp --dport 2049 -j DNAT --to filestore-ip-address:2049 sudo iptables -A PREROUTING -t nat -i network-interface -p tcp --dport 2050 -j DNAT --to filestore-ip-address:2050 sudo iptables -A FORWARD -p tcp -d filestore-ip-address --dport 111 -j ACCEPT sudo iptables -A FORWARD -p tcp -d filestore-ip-address --dport 2049 -j ACCEPT sudo iptables -A FORWARD -p tcp -d filestore-ip-address --dport 2050 -j ACCEPT sudo sysctl net.ipv4.ip_forward=1 sudo iptables -t nat -A POSTROUTING -j MASQUERADE
- filestore-ip-address is the IP address of the Filestore instance that the proxy VM is forwarding to.
network-interface is the name of the network interface on the proxy VM, such as
eth0. To get the name of the network interface, run the following command on the proxy VM:
The ports forwarded are:
Establish a VPN connection between the network of the remote client and the VPC network of the proxy VM
Before you can mount the Filestore file share on a remote client, you must establish a VPN connection between the network of the remote client and the VPC network of the Filestore instance and proxy VM.
Configure the VPN gateway and tunnel on Google Cloud
Create an HA VPN. For detailed instructions, see Creating an HA VPN gateway to a Peer VPN gateway.
Configure the VPN gateway and tunnel on the remote network:
- For specific configuration guidance for certain VPN devices, see VPN Interoperability Guides.
- For general configuration parameters, see Configuring the Peer VPN Gateway.
Mount the Filestore file share on the remote client
Create a mount point directory on the remote client:
sudo mkdir -p mount-point-directory
where mount-point-directory is the path where you want to map the Cloud Filestore file share to.
Mount the Filestore instance on your client on a remote network by running the following command on the remote client:
sudo mount proxy-ip-address:/file-share/[file-share-sub-dir] mount-point-directory
- proxy-ip-address is the IP address for the proxy instance.
- file-share is the name of the file share on the Filestore instance.
- file-share-sub-dir is the path of the file share subdirectory that you want to mount. Leave this blank if you want to mount the entire file share.
- mount-point-directory is the path on the remote client where you want to map the Filestore file share to.
Example: The following command mounts file share
vol1on a Filestore instance being forwarded to a Linux Compute Engine VM with IP address
22.214.171.124to mount point directory
/mnt/teston the remote client:
sudo mount 126.96.36.199:/vol1 /mnt/test
Confirm that your configuration works by running the following command on the remote client:
where mount-point-directory is the path of the mount point directory.
From the previous example, the command would be:
If the file share is mounted successfully on the remote client, the system will return the results of the
You can troubleshoot by running
tcpdump on the proxy VM to check if the
NFS packets are being forwarded:
sudo apt-get install tcpdump
sudo yum install tcpdump
sudo zypper -n install tcpdump
Run the following command to display the packets being transmitted or received by the proxy VM, except
sudo tcpdump -p -n not port 22 and not port 80
After you've finished the Mounting file shares on clients in a remote network tutorial, you can clean up the resources that you created on Google Cloud so they won't take up quota and you won't be billed for them in the future. The following sections describe how to delete or turn off these resources.
Deleting the project
The easiest way to eliminate billing is to delete the project that you created for the tutorial.
To delete the project:
- In the Cloud Console, go to the Manage resources page.
- In the project list, select the project that you want to delete and then click Delete delete.
- In the dialog, type the project ID and then click Shut down to delete the project.
Deleting Compute Engine instances
To delete a Compute Engine instance:
- In the Cloud Console, go to the VM Instances page.
- Click the checkbox for the instance you want to delete.
- Click Delete delete to delete the instance.
Deleting Filestore instances
- Go to the Filestore instances page
- Click the instance ID to open the instance details page.
- Click Delete.
- When prompted, type the instance ID and click Delete delete.
Deleting Cloud VPN tunnels
- Go to the Cloud VPN page
- Click the Cloud VPN tunnels tab
- Click on the name of the tunnel and click Delete delete.