Google Cloud Managed Lustre runs within a Virtual Private Cloud (VPC) which provides networking functionality to Compute Engine virtual machine (VM) instances, Google Kubernetes Engine (GKE) clusters, and serverless workloads.
The same VPC network must be specified when creating the Managed Lustre instance and client Compute Engine VMs or Google Kubernetes Engine clusters.
You must also configure private services access within your VPC.
Configure IAM permissions
You must have one of the following IAM permissions in order to set up network peering for your project:
- Compute Network Admin (
roles/compute.networkAdmin) - Service Networking Admin
(
roles/servicenetworking.networksAdmin)
To grant a role to a user:
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="user:EMAIL_ADDRESS"
--role=ROLE
Create and configure the VPC
Enable service networking.
gcloud services enable servicenetworking.googleapis.comCreate a VPC Network.
gcloud compute networks create NETWORK_NAME \ --subnet-mode=auto \ --mtu=8896Create an IP range.
gcloud compute addresses create IP_RANGE_NAME \ --global \ --purpose=VPC_PEERING \ --prefix-length=20 \ --description="Managed Lustre VPC Peering" \ --network=NETWORK_NAMEGet the CIDR range associated with the range you created in the previous step.
CIDR_RANGE=$( gcloud compute addresses describe IP_RANGE_NAME \ --global \ --format="value[separator=/](address, prefixLength)" )Create a firewall rule to allow TCP traffic from the IP range you created.
gcloud compute firewall-rules create FIREWALL_NAME \ --allow=tcp:988,tcp:6988 \ --network=NETWORK_NAME \ --source-ranges=$CIDR_RANGEConnect the peering.
gcloud services vpc-peerings connect \ --network=NETWORK_NAME \ --ranges=IP_RANGE_NAME \ --service=servicenetworking.googleapis.com