You first create an NFS volume, and then you mount your NFS exports to Compute Engine instances.
An NFS volume can use NFSv3 or NFSv4.1. The following considerations apply:
- About NFS versions: NFSv3 can handle a variety of use cases and is commonly deployed in most enterprise applications. You should validate what version (NFSv3 or NFSv4.1) your application requires and create your volume using the appropriate version. For example, if you use Apache ActiveMQ, file locking with NFSv4.1 is recommended over NFSv3.
- Security: Support for UNIX mode bits (read, write, and execute) is available for NFSv3 and NFSv4.1. Root-level access is required on the NFS client to mount NFS volumes.
- Local user/group and LDAP support for NFSv4.1: Currently, NFSv4.1 supports root access to volumes only.
- After you create an NFS volume, you cannot change the protocol type between NFSv3 and NFSv4.1.
- The CVS service type does not currently support NFSv4.1. If you want to use NFSv4.1, use the CVS-Performance type to create a NFSv4.1 volume.
Creating an NFS volume
You can create an NFS volume with either the general-purpose CVS or the CVS-Performance service type. The service type you select for a volume depends on the workload needs you have for that volume. By default, an NFS volume is created using the CVS service type. See Service types.
In the Cloud Console, go to the Volumes page.
On the Create File System page, complete the following fields:
Name: Enter a display name for the volume.
Service Type: Select either the CVS or CVS-Performance service type, depending on which is appropriate for your workload. Each service type offers different service levels, and the service levels are offered in different regions. For more information, see Service types.
Region: Select a Google Cloud region for your volume from the drop-down list. For more information about region selection, see Best practices for Compute Engine region selection.
Zone: Select a Google Cloud zone for your volume from the drop-down list. This field applies only to volumes using the CVS service type.
Volume Path: Enter the name of the volume path. It must be unique across all cloud volumes in your project. The system automatically generates a recommended volume path.
- If you selected the CVS service type, the volume uses the Standard-SW service level.
- If you selected the CVS-Performance service type, select the level of performance for the volume.
For more information, see Service levels.
Snapshot: If you want to create a volume based on a snapshot, select the snapshot from the drop-down list. This field applies only to volumes that use the CVS-Performance service type. For more information, see Creating and managing volume snapshots.
Allocated capacity: Set the cloud volume size. The minimum size is 1,024 GiB (1 TiB).
Protocol Type: Select the NFS protocol that applies to your service type: NVSv3, NFSv4.1, or Both (NFSv3/NFSv4.1).
Make snapshot directory (.snapshot) visible: Selecting this option makes your snapshot directory visible to the client.
Shared VPC configuration: The VPC network can be part of a host project in a shared VPC, or it can be a standalone project. If you have a host project and shared VPC topology, Select Shared VPC configuration. For standalone projects, leave the box cleared.
VPC Network Name:
Select the network from which the volume will be accessible.
Optionally, you can specify your custom CIDR range by selecting Use Custom Address Range.
If this is the first time that you're setting up VPC peering for Cloud Volumes Service, you receive the following prompt indicating that you need to set up network peering:
Click the View commands how to set up network peering button. Follow the steps in the pop-up window that appears to configure VPC peering. For more information, see Setting up private services access.
To manage export policy rules for the volume, expand Show export policy.
- Click Add Rule to define the allowed clients and their access type.
- In the Allowed clients field, enter the IP address or range of addresses that are allowed to connect to the cloud volume.
- To select the type of access these IP addresses have to the cloud volume, either select Read & Write or Read Only.
- Select the checkbox for the corresponding NFS version for which you want to give access. You can add additional rules as needed.
The protocol type allowed for the export must match the protocol type that you previously selected. A warning appears if the protocol type you select to allow for export does not match the protocol type selected for the volume.
You will not be able to access your NFS volumes unless you add an export policy.
To manage the snapshot policy for the volume, expand Show snapshot policy. Select Allow automatic snapshots, specify the snapshot schedules, and specify the number of snapshots to keep. For details, see Managing snapshot policies.
Click Save to create the volume.
The new volume appears in the Volumes list.
Mounting NFS exports to Compute Engine instances
In the Cloud Console, go to the Volumes page.
Click the NFS volume for which you want to mount NFS exports.
Scroll to the right, click More more_vert, and then click Mount Instructions.
Follow the instructions in the Mount Instructions for NFS window.
The mounting instructions might be slightly different depending on which NFS protocol you have configured for the volume. The following example is for NFSv4.1.
Disabling root access to the volume
By default, root access to a volume is enabled. This corresponds to the
no_root_squash option on other NFS servers.
You can turn off root access to a volume with the API.
For details, see the API example
Update volume with
Configuring NFSv4.1 Kerberos encryption
Cloud Volumes service supports NFS client encryption in Kerberos modes krb5, krb5i, and krb5p, with AES-256 encryption.
You control NFSv4.1 Kerberos encryption using the API. For an example, see Create NFS volume with NFSv4 Kerberos encryption.
You can use the
createVol API to create a volume with parameters for Kerberos
encryption (types krb5, krb5i, krb5p) and the
kerberosEnabled flag. The
createVol API performs validation to make sure that the
and Kerberos export policy rules match.
updateVolume API, you can’t change whether a volume has Kerberos
encryption enabled. The
updateVolume API doesn’t provide a
field. You can only modify export policy rules with the
You can use the
getVolumeDetails API to return the parameters for export
policy rules and the
- Monitoring cloud volumes
- Creating and managing volume snapshots
- Reverting a volume using a snapshot
- Backing up and restoring a cloud volume
- Security considerations
- FAQs about NetApp Cloud Volumes Service for Google Cloud
- Resource limits and quotas
- Try out other Google Cloud features for yourself. Have a look at our tutorials.