[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Configure a VPC network\n\nGoogle Cloud Managed Lustre runs within a Virtual Private Cloud (VPC) which provides\nnetworking functionality to\n[Compute Engine virtual machine (VM) instances](/compute/docs/instances),\n[Google Kubernetes Engine (GKE) clusters](/kubernetes-engine/docs), and\n[serverless workloads](/serverless#section-3).\n\nThe same VPC network must be specified when creating the\nManaged Lustre instance and client Compute Engine VMs or\nGoogle Kubernetes Engine clusters.\n\nYou must also configure private services access within your VPC.\n| **Note:** Managed Lustre does not support [VPC Service Controls](/vpc-service-controls/docs/overview) (VPC-SC). See [Troubleshooting and known issues](/managed-lustre/docs/troubleshooting#vpc-sc) for more information.\n\nRequired permissions\n--------------------\n\nYou must have the following IAM permissions:\n\n- `serviceusage.services.enable`\n- `compute.networks.create`\n- `compute.addresses.create`\n- `compute.addresses.get`\n- `compute.firewalls.create`\n- `servicenetworking.services.addPeering`\n\nThese permissions can be granted by adding all of the following predefined\nroles:\n\n- [Service Usage Admin](/iam/docs/roles-permissions/serviceusage#serviceusage.serviceUsageAdmin) (`roles/serviceusage.serviceUsageAdmin`)\n- [Compute Network Admin](/compute/docs/access/iam#compute.networkAdmin) (`roles/compute.networkAdmin`)\n- [Compute Security Admin](/compute/docs/access/iam#compute.securityAdmin) (`roles/compute.securityAdmin`)\n\nOr, [create a custom role](/iam/docs/creating-custom-roles) containing the\nspecific permissions.\n\nTo grant a role to a user: \n\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --member=\"user:\u003cvar translate=\"no\"\u003eEMAIL_ADDRESS\u003c/var\u003e\"\n --role=\u003cvar translate=\"no\"\u003eROLE\u003c/var\u003e\n\nCreate and configure the VPC\n----------------------------\n\n1. Enable service networking.\n\n gcloud services enable servicenetworking.googleapis.com\n\n2. Create a VPC Network.\n\n gcloud compute networks create \u003cvar translate=\"no\"\u003eNETWORK_NAME\u003c/var\u003e \\\n --subnet-mode=auto \\\n --mtu=8896\n\n | **Note:** Setting the value of `mtu` (*maximum transmission unit*, or the size of the largest IP packet that can be transmitted on this network) to the maximum allowed value of 8896 improves performance up to 10% compared to the default value of 1460 bytes.\n3. Create an IP range.\n\n gcloud compute addresses create \u003cvar translate=\"no\"\u003eIP_RANGE_NAME\u003c/var\u003e \\\n --global \\\n --purpose=VPC_PEERING \\\n --prefix-length=20 \\\n --description=\"Managed Lustre VPC Peering\" \\\n --network=\u003cvar translate=\"no\"\u003eNETWORK_NAME\u003c/var\u003e\n\n4. Get the CIDR range associated with the range you created in the previous step.\n\n CIDR_RANGE=$(\n gcloud compute addresses describe \u003cvar translate=\"no\"\u003eIP_RANGE_NAME\u003c/var\u003e \\\n --global \\\n --format=\"value[separator=/](address, prefixLength)\"\n )\n\n5. Create a firewall rule to allow TCP traffic from the IP range you created.\n\n gcloud compute firewall-rules create \u003cvar translate=\"no\"\u003eFIREWALL_NAME\u003c/var\u003e \\\n --allow=tcp:988,tcp:6988 \\\n --network=\u003cvar translate=\"no\"\u003eNETWORK_NAME\u003c/var\u003e \\\n --source-ranges=$CIDR_RANGE\n\n6. Connect the peering.\n\n gcloud services vpc-peerings connect \\\n --network=\u003cvar translate=\"no\"\u003eNETWORK_NAME\u003c/var\u003e \\\n --ranges=\u003cvar translate=\"no\"\u003eIP_RANGE_NAME\u003c/var\u003e \\\n --service=servicenetworking.googleapis.com\n\nWhat's next\n-----------\n\n- [Create a Managed Lustre instance](/managed-lustre/docs/create-instance)\n- [Troubleshoot VPC networks](/managed-lustre/docs/troubleshooting#troubleshooting-vpc-networks)"]]
