Configure a VPC network

Google Cloud Managed Lustre runs within a Virtual Private Cloud (VPC) which provides networking functionality to Compute Engine virtual machine (VM) instances, Google Kubernetes Engine (GKE) clusters, and serverless workloads.

The same VPC network must be specified when creating the Managed Lustre instance and client Compute Engine VMs or Google Kubernetes Engine clusters.

You must also configure private services access within your VPC.

Required permissions

You must have the following IAM permissions:

serviceusage.services.enable
compute.networks.create
compute.addresses.create
compute.addresses.get
compute.firewalls.create
servicenetworking.services.addPeering

These permissions can be granted by adding all of the following predefined roles:

Service Usage Admin (roles/serviceusage.serviceUsageAdmin)
Compute Network Admin (roles/compute.networkAdmin)
Compute Security Admin (roles/compute.securityAdmin)

Or, create a custom role containing the specific permissions.

To grant a role to a user:

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="user:EMAIL_ADDRESS"
  --role=ROLE

Create and configure the VPC

Enable service networking.

gcloud services enable servicenetworking.googleapis.com

Create a VPC Network.
```
gcloud compute networks create NETWORK_NAME \
  --subnet-mode=auto \
  --mtu=8896
```
Note: Setting the value of mtu (maximum transmission unit, or the size of the largest IP packet that can be transmitted on this network) to the maximum allowed value of 8896 improves performance up to 10% compared to the default value of 1460 bytes.

Create an IP range.

gcloud compute addresses create IP_RANGE_NAME \
  --global \
  --purpose=VPC_PEERING \
  --prefix-length=20 \
  --description="Managed Lustre VPC Peering" \
  --network=NETWORK_NAME

Get the CIDR range associated with the range you created in the previous step.

CIDR_RANGE=$(
  gcloud compute addresses describe IP_RANGE_NAME \
    --global  \
    --format="value[separator=/](address, prefixLength)"
)

Create a firewall rule to allow TCP traffic from the IP range you created.

gcloud compute firewall-rules create FIREWALL_NAME \
  --allow=tcp:988,tcp:6988 \
  --network=NETWORK_NAME \
  --source-ranges=$CIDR_RANGE

Connect the peering.

gcloud services vpc-peerings connect \
  --network=NETWORK_NAME \
  --ranges=IP_RANGE_NAME \
  --service=servicenetworking.googleapis.com

Configure a VPC network Stay organized with collections Save and categorize content based on your preferences.

Required permissions

Create and configure the VPC

What's next

Configure a VPC network