Security considerations

You should familiarize yourself with a few security considerations for NFS or SMB access of Cloud Volumes Service.

NFS access

Google Cloud has strict inbound firewall rules that are categorized as default and implied. Every VPC network has two implied firewall rules. Understanding the implied rules help you manage access to the cloud volumes.

  • The implied allow egress rule: The rule's action is to allow, the destination IP range is 0.0.0.0/0, and the priority is the lowest possible (65535). It lets any instance send traffic to any destination. You can restrict outbound access with a firewall rule that has a higher priority. Internet access is permitted if no other firewall rules deny the outbound traffic and if the instance has an external IP address or uses a NAT instance. See Internet access requirements for more details.
  • The implied deny ingress rule: The rule's action is to deny, the source is 0.0.0.0/0, and the priority is the lowest possible (65535). It protects all instances by blocking incoming traffic to them. You can permit incoming access with a firewall rule that has a higher priority. Note that the default network includes some additional rules that override this rule to permit certain types of incoming traffic.

NFS uses various ports to communicate between the initiator and a target. To ensure proper communication and successful volume mount, you must enable these ports on the VPC firewalls. If you have a local firewall enabled, you must also enable these ports on the compute instance. The required ports are as follows:

  • 111 TCP/UDP portmapper
  • 2049 TCP/UDP nfsd
  • 635 TCP/UDP mountd
  • 4045 TCP/UDP nlockmgr
  • 4046 TCP/UDP status

SMB access

Active Directory integration

In the Cloud Volumes Service implementation of SMB, workgroups aren't supported. Cloud Volumes Service has an inherent dependency on a directory service. The following are supported directories:

  • A custom ("roll your own") Active Directory (AD) that is a Windows 2008 R2 or later AD server in the tenant VPC.
  • A third-party AD as a service in Google Cloud.

Communication between cloud volumes and AD

Google Cloud has strict inbound firewall rules that are categorized as default and implied. Every VPC network has two implied firewall rules. Understanding the implied rules help you manage access to the cloud volumes.

  • The implied allow egress rule: The rule's action is to allow, the destination IP range is 0.0.0.0/0, and the priority is the lowest possible (65535). It lets any instance send traffic to any destination. You can restrict outbound access with a firewall rule that has a higher priority. Internet access is permitted if no other firewall rules deny the outbound traffic and if the instance has an external IP address or uses a NAT instance. See Internet access requirements for more details.
  • The implied deny ingress rule: The rule's action is to deny, the source is 0.0.0.0/0, and the priority is the lowest possible (65535). It protects all instances by blocking incoming traffic to them. You can permit incoming access with a firewall rule that has a higher priority. Note that the default network includes some additional rules that override this rule to permit certain types of incoming traffic.

You must create a set of inbound rules to enable Cloud Volumes Service to initiate communication with the AD domain controllers. You must add these rules to the security groups that are attached to each AD instance to enable inbound communication from the storage subnet CIDR or the specific IP address. You must open these required ports with firewall rules to enable the CIDR range to access Cloud Volumes Service.

The required ports are as follows:

  • ICMPV4
  • DNS 53 TCP
  • DNS 53 UDP
  • LDAP 389 TCP
  • LDAP 389 UDP
  • LDAP (GC) 3268 TCP
  • NetBIOS Name 138 UDP
  • SAM/LSA 445 TCP
  • SAM/LSA 445 UDP
  • Secure LDAP 636 TCP
  • Secure LDAP 3269 TCP
  • W32Time 123 UDP
  • AD Web Svc 9389 TCP
  • Kerberos 464 TCP
  • Kerberos 464 UDP
  • Kerberos 88 TCP
  • Kerberos 88 UDP

Permissions for Cloud Volumes Service

Cloud Volumes Service supports a granular set of permissions. These granular permissions are combined into two predefined roles, and these permissions can be added to Google Cloud IAM custom roles.

The granular permissions are the following:

  • cloudvolumesgcp-api.netapp.com/activeDirectories.create
  • cloudvolumesgcp-api.netapp.com/activeDirectories.delete
  • cloudvolumesgcp-api.netapp.com/activeDirectories.get
  • cloudvolumesgcp-api.netapp.com/activeDirectories.list
  • cloudvolumesgcp-api.netapp.com/activeDirectories.update
  • cloudvolumesgcp-api.netapp.com/ipRanges.list
  • cloudvolumesgcp-api.netapp.com/jobs.get
  • cloudvolumesgcp-api.netapp.com/jobs.list
  • cloudvolumesgcp-api.netapp.com/regions.list
  • cloudvolumesgcp-api.netapp.com/serviceLevels.list
  • cloudvolumesgcp-api.netapp.com/snapshots.create
  • cloudvolumesgcp-api.netapp.com/snapshots.delete
  • cloudvolumesgcp-api.netapp.com/snapshots.get
  • cloudvolumesgcp-api.netapp.com/snapshots.list
  • cloudvolumesgcp-api.netapp.com/snapshots.update
  • cloudvolumesgcp-api.netapp.com/volumereplication.authorize
  • cloudvolumesgcp-api.netapp.com/volumereplication.break
  • cloudvolumesgcp-api.netapp.com/volumereplication.create
  • cloudvolumesgcp-api.netapp.com/volumereplication.delete
  • cloudvolumesgcp-api.netapp.com/volumereplication.get
  • cloudvolumesgcp-api.netapp.com/volumereplication.list
  • cloudvolumesgcp-api.netapp.com/volumereplication.release
  • cloudvolumesgcp-api.netapp.com/volumereplication.resync
  • cloudvolumesgcp-api.netapp.com/volumereplication.update
  • cloudvolumesgcp-api.netapp.com/volumes.create
  • cloudvolumesgcp-api.netapp.com/volumes.delete
  • cloudvolumesgcp-api.netapp.com/volumes.get
  • cloudvolumesgcp-api.netapp.com/volumes.list
  • cloudvolumesgcp-api.netapp.com/volumes.update

The two predefined roles are netappcloudvolumes.admin and netappcloudvolumes.viewer. You can assign these roles to specific users or service accounts.

The netappcloudvolumes.admin role contains the full permission set listed above, while the netappcloudvolumes.viewer role contains the list and get permissions on specific objects.

Add Cloud Volumes Service roles to a user

To grant a user the netappcloudvolumes.admin role, use the following command, substituting the appropriate user name and project ID for myuser@myorg.com and my-project.

gcloud projects add-iam-policy-binding my-project \
    --member='user:myuser@myorg.com' \
    --role='roles/netappcloudvolumes.admin'

To grant a user the netappcloudvolumes.viewer role, use the following command, substituting the appropriate user name and project ID for myuser@myorg.com and my-project.

gcloud projects add-iam-policy-binding my-project \
    --member='user:myuser@myorg.com' \
    --role='roles/netappcloudvolumes.viewer'

Add Cloud Volumes Service permissions to a Google Cloud IAM custom role

To grant specific permissions to a user, you need to configure a Google Cloud IAM custom role, assign specific CVS permissions to the role, and then add the custom role to one or more users.

  1. If a custom IAM role is already configured, you can skip this step.

    Configure a Google Cloud IAM custom role using the Cloud Console or the Cloud Shell commands.

  2. Assign specific CVS permissions to the custom role:

    1. While viewing the role details, select Edit role from the top menu.
    2. On the Edit role page, click Add permissions.
    3. In the filter, enter netapp to see the list of permissions specific to Cloud Volumes Service.
    4. Select the checkbox for permissions that you want to add to the role.
    5. Click Add.
  3. Add the IAM custom role to a user:

    1. Select IAM from the left navigation menu and select the user you want to update.
    2. Click the Edit member button.
    3. On the Edit permissions page, add the custom role created in the previous step.
    4. Click Save.