Google Cloud Managed Lustre runs within a Virtual Private Cloud (VPC) which provides networking functionality to Compute Engine virtual machine (VM) instances, Google Kubernetes Engine (GKE) clusters, and serverless workloads.
The same VPC network must be specified when creating the Managed Lustre instance and client Compute Engine VMs or Google Kubernetes Engine clusters.
You must also configure private services access within your VPC.
Required permissions
You must have the following IAM permissions:
serviceusage.services.enable
compute.networks.create
compute.addresses.create
compute.addresses.get
compute.firewalls.create
servicenetworking.services.addPeering
These permissions can be granted by adding all of the following predefined roles:
- Service Usage Admin (
roles/serviceusage.serviceUsageAdmin
) - Compute Network Admin (
roles/compute.networkAdmin
) - Compute Security Admin (
roles/compute.securityAdmin
)
Or, create a custom role containing the specific permissions.
To grant a role to a user:
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="user:EMAIL_ADDRESS"
--role=ROLE
Create and configure the VPC
Enable service networking.
gcloud services enable servicenetworking.googleapis.com
Create a VPC Network.
gcloud compute networks create NETWORK_NAME \ --subnet-mode=auto \ --mtu=8896
Create an IP range.
gcloud compute addresses create IP_RANGE_NAME \ --global \ --purpose=VPC_PEERING \ --prefix-length=20 \ --description="Managed Lustre VPC Peering" \ --network=NETWORK_NAME
Get the CIDR range associated with the range you created in the previous step.
CIDR_RANGE=$( gcloud compute addresses describe IP_RANGE_NAME \ --global \ --format="value[separator=/](address, prefixLength)" )
Create a firewall rule to allow TCP traffic from the IP range you created.
gcloud compute firewall-rules create FIREWALL_NAME \ --allow=tcp:988,tcp:6988 \ --network=NETWORK_NAME \ --source-ranges=$CIDR_RANGE
Connect the peering.
gcloud services vpc-peerings connect \ --network=NETWORK_NAME \ --ranges=IP_RANGE_NAME \ --service=servicenetworking.googleapis.com