Create an instance on a Shared VPC network in service projects

This tutorial walks you through the process of creating a Filestore instance on a Shared VPC network from a service project.

You can create Filestore instances on a Shared VPC network in either the host project or one of its associated service projects. When creating an instance in the host project, you can select the Shared VPC network as normal and service project clients can connect to the instance. However, if you want to create the instance in a service project, you must first enable private services access on the Shared VPC network from the host project.

Objectives

  • Enable private services access on the Shared VPC network.
  • Create an instance on the Shared VPC network.
  • Mount the instance.

Costs

This tutorial uses the following billable components of Google Cloud:

To generate a cost estimate based on your projected usage, use the pricing calculator. New Google Cloud users might be eligible for a free trial.

When you finish this tutorial, you can avoid continued billing by deleting the resources you created. For more information, see Cleaning up.

New Google Cloud users might be eligible for a free trial.

Before you begin

  1. Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

  2. Create a Shared VPC network with a host project and a connected service project.
  3. Enable the Filestore and Service Networking APIs.

    Enable the APIs

Enable private service access on the Shared VPC network

To create a Filestore instance in a service project that uses a Shared VPC network, the Shared VPC network must have private services access enabled.

Check if private service access is enabled for the Shared VPC network

Check if private service access is already enabled for the Shared VPC network using one of the following methods:

Cloud Console

  1. In the Cloud Console, go to the Filestore Instances page.

    Go to the Filestore instances page

  2. Click Create Instance.

  3. Select the Shared VPC network that you want to use.

  4. Click Advanced network options.

  5. The Private services access connection section indicates whether private services access is enabled.

gcloud tool

gcloud beta services vpc-peerings list \
    --network=SHARED_VPC_NAME \
    --project=HOST_PROJECT_ID

Replace the following:

  • SHARED_VPC_NAME with the name of the Shared VPC network that you want to use for your Filestore instance.
  • HOST_PROJECT_ID with the project ID of the host project that contains the Shared VPC network.

If private service access is already enabled, the response shows that a peering is established for servicenetworking-googleapis-com:

network: projects/PROJECT_NUMBER/global/networks/SHARED_VPC_NAME
peering: servicenetworking-googleapis-com
reservedPeeringRanges: RANGES

If private services access is enabled for the Shared VPC network, you can start creating Filestore instances on it. Otherwise, you must first enable private service access.

Enable private services access

You must have the Owner (roles/owner), Editor (roles/editor), or Network Management Admin (roles/networkmanagement.admin) role to create allocated IP address ranges and manage private connections. If you do not have these privileges, contact your network administrator. For more information, see Understanding roles.

Enable private services access on a Shared VPC network using one of the following methods:

Cloud Console

Reserve an IP address range in the Shared VPC network for Google managed services

  1. Go to the VPC networks page in the Google Cloud Console.

    Go to the VPC networks page

  2. Select the host project that contains the Shared VPC network you want to use.

  3. Click the name of the Shared VPC network that you want to create your Filestore instance on.

  4. Select the Private service connection tab.

  5. In the Private service connection tab, select the Allocated IP ranges for services tab.

  6. Click Allocate IP range and configure it as follows:

    • Name: google-service-range
    • Description: Peering range for Google managed services
    • IP range:

      • Select Automatic.
      • In the text field, enter 20 for the prefix. This range is used by all Google Cloud managed services, so in practice, you may need something larger. Basic tier instances require a prefix of /29 and High Scale instances require a /24 prefix.
  7. Click Allocate to create the allocated range.

Create a private connection for the Shared VPC network and the Google managed services network

  1. Go to the VPC networks page in the Google Cloud Console.

    Go to the VPC networks page

  2. Select the host project that contains the Shared VPC network you want to use.

  3. Click the name of the Shared VPC network that you want to create your Filestore instance on.

  4. Select the Private service connection tab.

  5. In the Private service connection tab, select the Private connections to services tab.

  6. Click Create connection.

  7. For the Assigned allocation, select google-service-range.

  8. Click Connect to create the connection.

gcloud tool

  1. Reserve an IP address range in the Shared VPC network for Google managed services by running:

    gcloud compute addresses create google-service-range \
        --global \
        --purpose=VPC_PEERING
        --prefix-length=PREFIX \
        --description="Peering range for Google managed services" \
        --network=SHARED_VPC_NAME \
        --project=PROJECT_ID
    

    Replace the following:

    • PREFIX with a prefix length. Basic tier instances require a /29 prefix and High Scale tier instances require a /24 prefix. However, this range is used by all Google Cloud managed services. If you plan on using multiple Filestore instances or other Google Cloud managed services, then you need a larger prefix, for example, /20.
    • SHARED_VPC_NAME with the name of the Shared VPC network that you want to create your Filestore instance on.
    • PROJECT_ID with the project ID of the host project that contains the Shared VPC network.
  2. Create a private connection for the Shared VPC network and the Google managed services network by running:

    gcloud services vpc-peerings connect \
        --service=servicenetworking.googleapis.com \
        --ranges=google-service-range
        --network=SHARED_VPC_NAME \
        --project=HOST_PROJECT_ID
    

    Replace the following:

    • SHARED_VPC_NAME with the name of the Shared VPC network that you want to create your Filestore instance on.
    • HOST_PROJECT_ID with the project ID of the host project that contains the Shared VPC network.

    The command initiates a long-running operation and returns an operation name.

  3. Check whether the operation succeeded:

    gcloud services vpc-peerings operations describe \
        --name=OPERATION_NAME
    

    Replace OPERATION_NAME with the operation name that was returned from the previous step.

For more information on allocating IP address ranges and creating private connections, see Configuring private services access.

Optional: Enable VPC Service Controls

Once private services access is enabled, you can optionally enable VPC Service Controls by running:

gcloud beta services vpc-peerings enable-vpc-service-controls \
    --network=SHARED_VPC_NAME \
    --project=HOST_PROJECT_ID \
    --service=servicenetworking.googleapis.com

Replace the following:

  • SHARED_VPC_NAME with the name of the Shared VPC network that you want to create your Filestore instance on.
  • HOST_PROJECT_ID with the project ID of the host project that contains the Shared VPC network.

For more information on using Filestore with VPC Service Controls, see Securing instances with a service perimeter.

Create a Filestore instance on the Shared VPC network

Once your Shared VPC network has private services access enabled, you can start creating Filestore instances on it from a service project.

Cloud Console

  1. In the Cloud Console, go to the Filestore Instances page.

    Go to the Filestore instances page

  2. Click Create Instance and configure the instance as follows:

    • Set Instance ID to nfs-server.
    • Set Instance type to Basic.
    • Set Storage type to HDD.
    • Set Allocate capacity to 1TB.
    • Set Region to us-central1 and Zone to us-central1-c.
    • Set VPC network to the shared VPC network, which shows up in the format "projects/HOST_PROJECT_ID/global/networks/SHARED_VPC_NAME".
    • Set File share name to vol1.
    • Set Allocated IP range to Use an automatically allocated IP range.
    • Set Access controls to Grant access to all clients.
  3. Click Create.

gcloud tool

gcloud [beta] filestore instances create nfs-server \
    --project=SERVICE_PROJECT_ID \
    --zone=us-central1-c \
    --tier=BASIC_HDD \
    --file-share=name="vol1",capacity=1TiB \
    --network=name="projects/HOST_PROJECT_ID/global/networks/SHARED_VPC_NAME",connect-mode=PRIVATE_SERVICE_ACCESS

Replace the following:

  • SERVICE_PROJECT_ID with the project ID of the service project that you want to create a Filestore instance in.
  • HOST_PROJECT_ID with the project ID of the host project that contains the Shared VPC network.
  • SHARED_VPC_NAME with the name of the Shared VPC network that you want to create your Filestore instance on.

Mount your instance on a service project client

Once you create a Filestore instance on a shared VPC network, you can mount that instance to any client that's on the same network. For instructions on mounting, see Mounting file shares on Compute Engine clients.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources.

Deleting the Filestore instance

Cloud Console

  1. In the Cloud Console, go to the Filestore Instances page.

    Go to the Filestore instances page

  2. Click the nfs-server instance ID to open the instance details page.

  3. Click Delete .

  4. When prompted, type the instance ID.

  5. Click Delete.

gcloud tool

Delete the nfs-server instance:

gcloud filestore instances delete nfs-server --zone=us-central1-c

What's next