Configure networking

This page describes how to configure networking for Google Cloud NetApp Volumes. NetApp Volumes uses private services access to create a high throughput and low-latency data path private connection.

Considerations

Consider the following before you begin to configure networking:

You can't share volumes between Virtual Private Cloud (VPC) instances: to share volumes, you need to share a Shared VPC from a host project with multiple service projects. Storage pools created on the Shared VPC from the service project are accessible to all service projects.
VPC private connections only need to be set up once: the private connection must be set up once per VPC. You don't need to repeat private connection setup for multiple service projects or regions.
You must assign a CIDR range: Classless Inter-Domain Routing (CIDR) ranges let you represent IP addresses and their corresponding networks for the service to use. The service uses IP addresses from the assigned CIDR range to assign volumes to the correct protocol type (Network File System (NFS) or Server Message Block (SMB)).
You can set up private connections before or during storage pool creation: both allow you to specify a CIDR manually or have Google networking pick one for you automatically.
Choose a CIDR range that doesn't collide with on-premise network CIDR ranges: if you plan to use NetApp Volumes from on-premises networks through a VPN or Cloud Interconnect, we strongly recommend that you choose a CIDR range that doesn't collide with the CIDR ranges used in your on-premise network. If you fail to do so, it can cause IP collisions and routing issues.

Configure private services access

You can choose to set up private service access later using the UI during storage pool creation or do it manually as described in the following instructions. To learn more about private service access, see configure private services access.

Choose a CIDR range: NetApp Volumes supports the use of RFC 1918 or non-RFC 1918 IP address ranges. You can choose to have NetApp Volumes automatically select a CIDR or specify it manually. Manual selection lets you choose a specific address range. Pick a CIDR that is large enough to accommodate your volumes.

You need a /28 CIDR range for Premium or Extreme service levels for each NetApp Volumes region you plan to use within your project. For the Standard service level in Preview, you need a /25 CIDR range. For the Standard service level, you need a /28 CIDR range. If you intend to use service projects, each service project requires an additional /28 CIDR range for Premium and Extreme service levels. For the Standard service level, you need an additional /25 or /28 based on region or location.

The minimum CIDR range you can use is /24, which allows the provision of up to 16 region-service project combinations (/28 CIDRs). For some regions or locations within the Standard service level, the minimum is two region-service project combinations (/25 CIDRs). If you require more regions, service projects, or both, choose a CIDR which can accommodate more /28 (or /25) subnets.
Enable the services networking API: you must set up private services access for NetApp Volumes separately from enabling it for other Google Cloud services for servicenetworking.googleapis.com.

Enable the API
Set up private services access: use the following instructions to set up private services access using Google Cloud CLI:
1. Reserve a static internal IP address range for your CIDR:
```
gcloud compute addresses create netapp-addresses-production-vpc1 \
 --project=PROJECT_ID \
 --global \
 --purpose=VPC_PEERING \
 --prefix-length=24 \
 --network=VPC \
 --no-user-output-enabled
```
  Replace PROJECT_ID with the name of the project you intend to set up private services access in.
  
  This command chooses the base address for the CIDR automatically. If you want to specify a specific base address, include the following line:
```
  --addresses=192.168.0.0 \
```
  Replace 192.168.0.0 with the base address you intend to set up private services access for.
2. Run the following command to peer the networks:
```
  gcloud services vpc-peerings connect \
   --project=PROJECT_ID \
   --service=netapp.servicenetworking.goog \
   --ranges=netapp-addresses-production-vpc1<,psarange2> \
   --network=VPC
```
  Replace PROJECT_ID with the name of the project you intend to set up private services access in.
  
  Important: If peering fails and you receive a Constraint constraints/compute.restrictVpcPeering violated for project error, it means your Google Cloud organization policies restrict peering. To resolve this, work with your organization administrator to get an exception.
3. Enable custom route propagation. Note that NetApp Volumes creates a sn-netapp-prod peering when the private connection is set up.
```
  gcloud compute networks peerings update sn-netapp-prod \
    --project=PROJECT_ID \
    --network=VPC  \
    --import-custom-routes \
    --export-custom-routes
```
  Replace PROJECT_ID with the name of the project you intend to set up private services access in.

What's next

Set up IAM permissions.