Creating and managing NFS volumes

You first create an NFS volume, and then you mount your NFS exports to Compute Engine instances.

Before you create an NFS volume, you must complete the steps in Enabling billing and APIs and Setting up private service access; otherwise, the volume creation process fails.


An NFS volume can use NFSv3 or NFSv4.1. The following considerations apply:

  • About NFS versions: NFSv3 can handle a variety of use cases and is commonly deployed in most enterprise applications. You should validate what version (NFSv3 or NFSv4.1) your application requires and create your volume using the appropriate version. For example, if you use Apache ActiveMQ, file locking with NFSv4.1 is recommended over NFSv3.
  • Security: Support for UNIX mode bits (read, write, and execute) is available for NFSv3 and NFSv4.1. Root-level access is required on the NFS client to mount NFS volumes.
  • Local user/group and LDAP support for NFSv4.1: Currently, NFSv4.1 supports root access to volumes only.
  • After you create an NFS volume, you cannot change the protocol type between NFSv3 and NFSv4.1.
  • The CVS service type does not currently support NFSv4.1. If you want to use NFSv4.1, use the CVS-Performance type to create a NFSv4.1 volume.

For information about managing local users for an NFS volume, see the Linux manual pages for the passwd and group commands.

Creating an NFS volume

You can create an NFS volume with either the general-purpose CVS or the CVS-Performance service type. The service type you select for a volume depends on the workload needs you have for that volume. By default, an NFS volume is created using the CVS service type. See Service types.

  1. In the Cloud Console, go to the Volumes page.

    Go to the Volumes page

  2. Click Create.

    Cloud Volumes in the Cloud Console

  3. On the Create File System page, complete the following fields:

    1. Name: Enter a display name for the volume.

    2. Service Type: Select either the CVS or CVS-Performance service type, depending on which is appropriate for your workload. Each service type offers different service levels, and the service levels are offered in different regions. For more information, see Service types.

    3. Region: Select a Google Cloud region for your volume from the drop-down list. For more information about region selection, see Best practices for Compute Engine region selection.

    4. Zone: Select a Google Cloud zone for your volume from the drop-down list. This field applies only to volumes using the CVS service type.

    5. Volume Path: Enter the name of the volume path. It must be unique across all cloud volumes in your project. The system automatically generates a recommended volume path.

    6. Service level:

      • If you selected the CVS service type, the volume uses the Standard-SW service level.
      • If you selected the CVS-Performance service type, select the level of performance for the volume.

      For more information, see Service levels.

    7. Snapshot: If you want to create a volume based on a snapshot, select the snapshot from the drop-down list. This field applies only to volumes that use the CVS-Performance service type. For more information, see Creating and managing volume snapshots.

    8. Allocated capacity: Set the cloud volume size. The minimum size is 1,024 GiB (1 TiB).

    9. Protocol Type: Select the NFS protocol that applies to your service type: NVSv3, NFSv4.1, or Both (NFSv3/NFSv4.1).

    10. Make snapshot directory (.snapshot) visible: Selecting this option makes your snapshot directory visible to the client.

    11. Shared VPC configuration: The VPC network can be part of a host project in a shared VPC, or it can be a standalone project. If you have a host project and shared VPC topology, Select Shared VPC configuration. For standalone projects, leave the box cleared.

    12. VPC Network Name:

      • Select the network from which the volume will be accessible.

      • Optionally, you can specify your custom CIDR range by selecting Use Custom Address Range.

      • If this is the first time that you're setting up VPC peering for Cloud Volumes Service, you receive the following prompt indicating that you need to set up network peering:

        Network peering not set up

        Click the View commands how to set up network peering button. Follow the steps in the pop-up window that appears to configure VPC peering. For more information, see Setting up private services access.

    13. To manage export policy rules for the volume, expand Show export policy.

      Export policy page

      1. Click Add Rule to define the allowed clients and their access type.
      2. In the Allowed clients field, enter the IP address or range of addresses that are allowed to connect to the cloud volume.
      3. To select the type of access these IP addresses have to the cloud volume, either select Read & Write or Read Only.
      4. Select the checkbox for the corresponding NFS version for which you want to give access. You can add additional rules as needed.

      The protocol type allowed for the export must match the protocol type that you previously selected. A warning appears if the protocol type you select to allow for export does not match the protocol type selected for the volume.

      You will not be able to access your NFS volumes unless you add an export policy.

    14. To manage the snapshot policy for the volume, expand Show snapshot policy. Select Allow automatic snapshots, specify the snapshot schedules, and specify the number of snapshots to keep. For details, see Managing snapshot policies.

      Snapshot policy page

  4. Click Save to create the volume.

    The new volume appears in the Volumes list.

    Volumes list

Mounting NFS exports to Compute Engine instances

  1. In the Cloud Console, go to the Volumes page.


  2. Click the NFS volume for which you want to mount NFS exports.

  3. Scroll to the right, click More , and then click Mount Instructions.

    Create NFS volume

  4. Follow the instructions in the Mount Instructions for NFS window.

    The mounting instructions might be slightly different depending on which NFS protocol you have configured for the volume. The following example is for NFSv4.1.

    NFS mount instructions

Disabling root access to the volume

By default, root access to a volume is enabled. This corresponds to the no_root_squash option on other NFS servers.

You can turn off root access to a volume with the API.

For details, see the API example Update volume with rootAccess disabled.

Configuring NFSv4.1 Kerberos encryption

Cloud Volumes service supports NFS client encryption in Kerberos modes krb5, krb5i, and krb5p, with AES-256 encryption.

You control NFSv4.1 Kerberos encryption using the API. For an example, see Create NFS volume with NFSv4 Kerberos encryption.

createVol: You can use the createVol API to create a volume with parameters for Kerberos encryption (types krb5, krb5i, krb5p) and the kerberosEnabled flag. The createVol API performs validation to make sure that the kerberosEnabled flag and Kerberos export policy rules match.

updateVolume: Using the updateVolume API, you can’t change whether a volume has Kerberos encryption enabled. The updateVolume API doesn’t provide a kerberosEnabled field. You can only modify export policy rules with the updateVolume API.

getVolumeDetails: You can use the getVolumeDetails API to return the parameters for export policy rules and the kerberosEnabled flag.

What's next