Console
    Contact Us Start free

    Create an instance on a Shared VPC network in service projects

    This tutorial walks you through the process of creating a Filestore instance on a Shared VPC network from a service project.

    You can create Filestore instances on a Shared VPC network in either the host project or one of its associated service projects. When creating an instance in the host project, you can select the Shared VPC network as normal and service project clients can connect to the instance. However, if you want to create the instance in a service project, you must first enable private services access on the Shared VPC network from the host project.

    Objectives

    • Enable private services access on the Shared VPC network.
    • Create an instance on the Shared VPC network.
    • Mount the instance.

    Costs

    In this document, you use the following billable components of Google Cloud:

    To generate a cost estimate based on your projected usage, use the pricing calculator .

    New Google Cloud users might be eligible for a free trial .

    When you finish the tasks that are described in this document, you can avoid continued billing by deleting the resources that you created. For more information, see Clean up .

    Before you begin

    1. Verify that billing is enabled for your Google Cloud project .

    2. Create a Shared VPC network with a host project and a connected service project.

    3. Enable the Filestore and Service Networking APIs.

      Enable the APIs

    Enable private service access on the Shared VPC network

    To create a Filestore instance in a service project that uses a Shared VPC network, the Shared VPC network must have private services access (PSA) enabled. See Configuring a reserved IP address range for specific Filestore requirements.

    Check if private service access is enabled for the Shared VPC network

    Check if private service access is already enabled for the Shared VPC network using one of the following methods:

    Google Cloud console

    1. In the Google Cloud console, go to the Filestore Instances page.

      Go to the Filestore instances page

    2. Click Create Instance.

    3. Select the Shared VPC network that you want to use.

    4. Click Advanced network options.

    5. The Private services access connectionsection indicates whether private services access is enabled.

    gcloud CLI

    Run the following services vpc-peerings list command:

     gcloud  
beta  
services  
vpc-peerings  
list  
 \ 
  
--network = 
 SHARED_VPC_NAME 
  
 \ 
  
--project = 
 HOST_PROJECT_ID

    Replace the following:

    • SHARED_VPC_NAME with the name of the Shared VPC network that you want to use for your Filestore instance.
    • HOST_PROJECT_ID with the project ID of the host project that contains the Shared VPC network.

    If private service access is already enabled, the response shows that a peering is established for servicenetworking-googleapis-com :

     network:  
projects/ PROJECT_NUMBER 
/global/networks/ SHARED_VPC_NAME 
peering:  
servicenetworking-googleapis-com
reservedPeeringRanges:  
 RANGES

    If private services access is enabled for the Shared VPC network, you can start creating Filestore instances on it. Otherwise, you must first enable private service access.

    Enable private services access

    You must have the Owner ( roles/owner ), Editor ( roles/editor ), or Network Management Admin ( roles/networkmanagement.admin ) role to create allocated IP address ranges and manage private connections. If you do not have these privileges, contact your network administrator. For more information, see Understanding roles .

    Enable private services access on a Shared VPC network using one of the following methods:

    Google Cloud console

    Reserve an IP address range in the Shared VPC network for Google managed services

    1. Go to the VPC networks page in the Google Cloud console.

      Go to the VPC networks page

    2. Select the host project that contains the Shared VPC network you want to use.

    3. Click the name of the Shared VPC network that you want to create your Filestore instance on.

    4. Select the Private service connectiontab.

    5. In the Private service connectiontab, select the Allocated IP ranges for servicestab.

    6. Click Allocate IP rangeand configure it as follows:

      • Name: google-service-range
      • Description: Peering range for Google managed services

      • IP range:

        • Select Automatic.
        • In the text field, enter 20 for the prefix. This range is used by all Google Cloud managed services, so in practice, you may need something larger. Basic-tier instances require a prefix of /29 and enterprise-tier, zonal and regional-tier instances with a higher capacity range (previously high scale SSD), and zonal and regional-tier instances with a lower capacity range require a /26 prefix.

    7. Click Allocateto create the allocated range.

    Create a private connection for the Shared VPC network and the Google-managed services network

    1. Go to the VPC networks page in the Google Cloud console.

      Go to the VPC networks page

    2. Select the host project that contains the Shared VPC network you want to use.

    3. Click the name of the Shared VPC network that you want to create your Filestore instance on.

    4. Select the Private services accesstab.

    5. In the Private services accesstab, select the Private connections to servicestab.

    6. Click Create connection.

    7. For the Assigned allocation, select google-service-range .

    8. Click Connectto create the connection.

    gcloud CLI

    1. Reserve an IP address range in the Shared VPC network for Google managed services by running the following compute addresses create command:

       gcloud  
compute  
addresses  
create  
google-service-range  
 \ 
  
--global  
 \ 
  
--purpose = 
VPC_PEERING  
 \ 
  
--prefix-length = 
 PREFIX 
  
 \ 
  
--description = 
 "Peering range for Google managed services" 
  
 \ 
  
--network = 
 SHARED_VPC_NAME 
  
 \ 
  
--project = 
 PROJECT_ID

      Replace the following:

      • PREFIX with a prefix length. Basic-tier instances require a /29 prefix and zonal-tier instances require a /26 prefix. However, this range is used by all Google Cloud-managed services. If you plan on using multiple Filestore instances or other Google Cloud-managed services, then you need a larger prefix, for example, /20.
      • SHARED_VPC_NAME with the name of the Shared VPC network that you want to create your Filestore instance on.
      • PROJECT_ID with the project ID of the host project that contains the Shared VPC network.

    2. Create a private connection for the Shared VPC network and the Google managed services network by running the services vpc-peerings connect command:

       gcloud  
services  
vpc-peerings  
connect  
 \ 
  
--service = 
servicenetworking.googleapis.com  
 \ 
  
--ranges = 
google-service-range  
 \ 
  
--network = 
 SHARED_VPC_NAME 
  
 \ 
  
--project = 
 HOST_PROJECT_ID

      Replace the following:

      • SHARED_VPC_NAME with the name of the Shared VPC network that you want to create your Filestore instance on.
      • HOST_PROJECT_ID with the project ID of the host project that contains the Shared VPC network.

      The command initiates a long-running operation and returns an operation name.

    3. Check whether the operation succeeded using the services vpc-peerings operations describe command:

       gcloud  
services  
vpc-peerings  
operations  
describe  
 \ 
  
--name = 
 OPERATION_NAME

      Replace OPERATION_NAME with the operation name that was returned from the previous step.

    For more information on allocating IP address ranges and creating private connections, see Configuring private services access .

    Optional: Enable VPC Service Controls

    Once private services access is enabled, you can optionally enable the VPC Service Controls . To do so, run the services vpc-peerings enable-vpc-service-controls command:

     gcloud  
beta  
services  
vpc-peerings  
enable-vpc-service-controls  
 \ 
  
--network = 
 SHARED_VPC_NAME 
  
 \ 
  
--project = 
 HOST_PROJECT_ID 
  
 \ 
  
--service = 
servicenetworking.googleapis.com

    Replace the following:

    • SHARED_VPC_NAME with the name of the Shared VPC network that you want to create your Filestore instance on.
    • HOST_PROJECT_ID with the project ID of the host project that contains the Shared VPC network.

    For more information on using Filestore with VPC Service Controls, see Securing instances with a service perimeter .

    Create a Filestore instance on the Shared VPC network

    Once your Shared VPC network has private services access enabled, you can start creating Filestore instances on it from a service project.

    Google Cloud console

    1. In the Google Cloud console, go to the Filestore Instances page.

      Go to the Filestore instances page

    2. Click Create Instanceand configure the instance as follows:

      • Set Instance IDto nfs-server .
      • Set Instance typeto Basic.
      • Set Storage typeto HDD.
      • Set Allocate capacityto 1 TB .
      • Set Regionto us-central1and Zoneto us-central1-c.
      • Set VPC networkto the Shared VPC network, which shows up in the format "projects/ HOST_PROJECT_ID /global/networks/ SHARED_VPC_NAME ".
      • Set File share nameto vol1 .
      • Set Allocated IP rangeto Use an automatically allocated IP range.
      • Set Access controlsto Grant access to all clients.

    3. Click Create.

    gcloud CLI

    Run the following instances create command:

     gcloud  
filestore  
instances  
create  
nfs-server  
 \ 
  
--project = 
 SERVICE_PROJECT_ID 
  
 \ 
  
--zone = 
us-central1-c  
 \ 
  
--tier = 
BASIC_HDD  
 \ 
  
--file-share = 
 name 
 = 
 "vol1" 
,capacity = 
1TiB  
 \ 
  
--network = 
 name 
 = 
 "projects/ HOST_PROJECT_ID 
/global/networks/ SHARED_VPC_NAME 
" 
,connect-mode = 
PRIVATE_SERVICE_ACCESS

    Replace the following:

    • SERVICE_PROJECT_ID with the project ID of the service project that you want to create a Filestore instance in.
    • HOST_PROJECT_ID with the project ID of the host project that contains the Shared VPC network.
    • SHARED_VPC_NAME with the name of the Shared VPC network that you want to create your Filestore instance on.

    Optional: Import subnet routes

    If your Filestore instances use public IPs (non-RFC 1918 IP addresses) , and if electing to enable PSA , you must import the instance's public IP subnet routes into the Shared VPC network by updating the service networking VPC peering to allow importing of subnet routes with public IPs. For more information, see Update a peering connection .

    Mount your instance on a service project client

    Once you create a Filestore instance on a shared VPC network, you can mount that instance to any client that's on the same network. For instructions on mounting, see Mounting file shares on Compute Engine clients .

    Clean up

    To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources.

    Delete the Filestore instance

    Google Cloud console

    1. In the Google Cloud console, go to the Filestore Instances page.

      Go to the Filestore instances page

    2. Click the nfs-server instance ID to open the instance details page.

    3. Click Delete .

    4. When prompted, type the instance ID.

    5. Click Delete.

    gcloud CLI

    Delete the nfs-server instance using the instances delete command:

     gcloud  
filestore  
instances  
delete  
nfs-server  
--zone = 
us-central1-c

    What's next
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: