IBM Cloud Docs
Accessing VPC zonal file storage shares from IBM Power Virtual Server Instances

Accessing VPC zonal file storage shares from IBM Power Virtual Server Instances

This tutorial might incur costs. Use the Cost Estimator to generate a cost estimate based on your projected usage.

In this tutorial, you learn how to mount a file share on an IBM Power Virtual Server server instance. You cannot directly mount a file storage share on IBM Power Virtual Server instances and must instead use a path through a network load balancer (NLB). You create a file storage share and a mount target in IBM VPC. You create a network load balancer with routing mode, and a route table in IBM VPC. Then, you mount the file storage share on the virtual server instance in IBM Power Virtual Server.

The following architecture overview diagram illustrates this scenario.

The virtual server instance in IBM Power Virtual Server sends a request through a transit gateway to the file storage share. According to the rule in the routing table of the VPC, the network traffic to the file storage share is directed to the network load balancer. The network load balancer has Routing_mode enabled. It bypasses a back-end pool and sends requests directly to the destination IP address. The file storage share responds and the response is sent directly to the virtual server instance in IBM Power Virtual Server. The network load balancer (NLB) with routing mode has two IP addresses (active and standby). When a failover occurs, the route mode updates all routing rules that are created for the VPC with a next_hop of the standby IP. Both the active IP and the standby IP are used during the lifetime of an NLB with route mode.

A diagram that shows the architecture for accessing File Storage for VPC.
Architecture overview diagram

Before you begin

  • Create a VPC or use an existing one.
  • Create a subnet in the VPC for your preferred zone.
  • Create an IBM Power Virtual Server workspace in the IBM Cloud region.
  • Create a Transit Gateway and attach the VPC subnet and the IBM Power Virtual Server workspace to the Transit Gateway.
  • Check the user permissions. Make sure that your user account has permissions to create and manage VPC resources. See Granting user permissions for VPC resources.
  • Use or create an SSH key to connect to the virtual server instances. If you don't have an SSH key, see Getting started with SSH keys.

Creating a security group to allow NFS V4 traffic

Create a security group and configure inbound rules for port 2049.

  1. Go to Security groups for VPC and click Create.
  2. Verify or set the Geography and Region fields.
  3. Enter nfs-server-sg for the Name.
  4. Select the same Resource group as the VPC resource group.
  5. Select your VPC in the Virtual private cloud list.
  6. Create an inbound rule for each virtual server instance (NFS client).
    1. In the Inbound rules section, click Create.
    2. Configure the rule as follows:
      • Protocol: Select TCP.
      • Port: Select Port range, and enter 2049 for both Port min and Port max.
      • Source type: Select IP or CIDR.
        • Enter the IP address of each virtual server instance.
        • If your instances are in a subnet and you want to allow access from all members of the subnet, enter the subnet's CIDR block.
      • Destination type: Select Any.
    3. Configure the rule as follows in addition to above when provisioning a mount target with in-transit encryption EIT:
      • Protocol: Select TCP.
      • Port: Select Port range, and enter 20049 for both Port min and Port max.
      • Source type: Select IP or CIDR.
        • Enter the IP address of each virtual server instance.
        • If your instances are in a subnet and you want to allow access from all members of the subnet, enter the subnet's CIDR block.
      • Destination type: Select Any.
    4. Click Create to save the rule.
  7. Create a common outbound rule.
    1. In the Outbound rules section, click Create.
    2. Configure the rule as follows:
      • Protocol: Select TCP.
      • Port: Select Any.
      • Destination type: Select Any.
      • Source type: Select Any.
    3. Click Create to save the rule.
  8. Finalize the security group.
    • Click Create security group to apply the configuration.

Provisioning file storage with zonal availability

The availability cannot be modified after provisioning.

The encryption setting of a mount target cannot be modified after it has been created. To change the encryption, you must delete the existing mount target and recreate it. This process does not affect the underlying data, and no data will be lost.

  1. Go to File storage shares for VPC.
  2. Click Create > Create file share.
  3. In the Availability section, choose Single Zone availability.
  4. In the Location section, select the same Geography, Region, and Zone as the virtual private cloud.
  5. Enter nfs-server in the Name field. Select the same Resource group as the VPC resource group.
  6. In the Size section, enter the Storage size in GB.
  7. Enter a Max IOPS value.
  8. In the Mount target access mode section, select Security groups.
  9. In the Mount targets (optional) section, click Create.
    • Enter nfs-server-mount-targetin the Mount target name field.
    • Select your VPC.
    • In the Network interfaces section, click the pencil icon on the new interface.
    • Verify the selected subnet and click Next.
    • In the Security groups section, check the nfs-server-sg security group, clear the VPC default security group, and click Next.
    • Click Next to get to the Review section, then click Save.
    • Back on the Create mount target screen, click Next.
    • Encryption in transit is disabled by default. If required click the toggle to change the preset value. For more information about this feature, see Encryption in transit - Securing mount connections between file share and host.
    • In the Review step, click Create.
  10. Click Create file share to provision the file storage and the mount target.

Gathering the file storage IP address and mount path information

  1. Go to File storage shares for VPC.
  2. Click the Name nfs-server.
  3. In the Mount targets section, click the Name of the mount target in the VPC to view the mount target details.
  4. Make a note of the Mount path. In the example, the mount path is 10.20.30.40:/73a1ff96_4861_4463_aa09_8c8128b8e277fsf. The first part of the mount path is the Primary IP of the mount target: 10.20.30.40 .

Later, the Destination parameter in the VPC route entry is set to the Primary IP of the mount target. The Mount path parameter is used as an argument to the mount command on the IBM Power Virtual Server instance.

Creating the private network load balancer with routing mode

Creating the service-to-service authentication policy

To support routing mode, you must first create a service-to-service authentication policy for your NLB.

  1. Log in to IBM Access Management.
  2. Click Authorizations, then click Create.
  3. Select This account for Source account and click Next.
  4. Select VPC Infrastructure Services for Service and click Next.
  5. Select Specific resources > Resource Type > Load Balancer for VPC for the scope access and click Next.
  6. Select VPC Infrastructure Services for the target service and click Next.
  7. Select Specific resources > Resource Type > Virtual Private Cloud for the scope access and click Next.
  8. Select the Editor checkbox to grant the Editor access role.
  9. Click Authorize.

Creating the network load balancer

  1. Go to Load balancers for VPC and click Create.

  2. Select Network Load Balancer (NLB) as the Load balancer type.

  3. In the Location section, select the same Geography and Region that is used for the virtual private cloud.

  4. Enter nfs-server-nlb in the Name field.

  5. Select the same Resource group as the VPC resource group.

  6. Select your VPC in the Virtual private cloud list.

  7. Select the Subnet.

  8. Check Private in the Type section.

  9. Set Routing mode to On to create a network load balancer with routing mode.

  10. In the Back-end pools section, click Create pool. Set the parameters to the following values.

    • Name: nfs-server-fwd-pool
    • Pool protocol: TCP
    • Session stickiness: None
    • Method: Round robin
    • Click Create.

  11. In the Front-end listeners section, click Create listener. Select your Back-end pool and click Save.

  12. In the Security Groups sections, check the nfs-server-sg security group, and clear the default security group.

  13. Click Create load balancer to provision the load balancer.

As part of the process, you create a back-end pool. However, you cannot define the back-end pool Failsafe policy directly, and it must be updated in the next step.

Updating the network load balancer failsafe policy

Update the Failsafe policy for the nfs-server-fwd-pool back-end pool. The network load balancer then bypasses the back-end pool and sends requests directly to the destination IPs.

  1. Go to Load balancers for VPC.
  2. Click the load balancer nfs-server-nlb.
  3. Click the Back-end pools tab and select the pool nfs-server-fwd-pool.
  4. Click nfs-server-fwd-pool and then Edit.
  5. In the Failsave policy section, select Bypass as the Action.
  6. Click Save.

Collecting the private IP addresses of the load balancer

  1. Go to Load balancers for VPC.
  2. Click nfs-server-nlb.
  3. In the Load balancer details - Private IPs section, make a note of the first IP address entry in the list.

Later, the Next hop parameter in the VPC route entry is set to the active Private IP address of the load balancer.

Creating a routing table and routes for VPC

Creating a routing table

Customize the Ingress routes to route incoming traffic from external sources such as the IBM Cloud Transit Gateway. Only one custom routing table is associated with an ingress source. If an ingress routing table exists for the IBM Cloud Transit Gateway source, add the route to that table.

  1. Go to Routing tables for VPC.
  2. Click Create.
  3. In the Location section, select the same Geography and Region that is used for the virtual private cloud.
  4. Enter nfs-server-routing in the Name field.
  5. Select your VPC in the Virtual private cloud list.
  6. Enable the Transit gateway flag in the Traffic source (optional) section.
  7. Click Create routing table to provision the routing table.

Updating the routing table

To propagate routes outside the VPC address prefix range, enable Advertise to for the transit gateway.

  1. Go to Routing tables for VPC.
  2. Click on the name of the ingress route that you created earlier.
  3. In the Traffic section, click Edit to open the Edit traffic panel.
  4. Under Traffic source, expand the Transit Gateway section.
  5. Toggle the Advertise to switch to On.
  6. Click Save to apply the changes to the routing table.

Creating a route

  1. Go to Routing tables for VPC.
  2. Click the name nfs-server-routing.
  3. Click Create.
  4. Select the zone for your route in the Zone field.
  5. Enter nfs-server in the Name field.
  6. Using CIDR notation, enter the primary IP address of the file share as Destination CIDR.
  7. Select Deliver as the Action.
  8. Enter the IP address of the network load balancer as the Next hop (IP address).
  9. Click Save to add the route to the table.

Mounting the file share on the IBM Power Virtual Server instance

Log on as the root user to the server instance in IBM Power Virtual Server where you want to mount the file share.

  • Mounting when not using in-transit encryption

    1. Install the NFS client packages on the instance.

      dnf install nfs-utils

    2. Create a directory for the mount point.

      mkdir <mount_point>

    3. Mount the remote file share.

      mount -t nfs4 -o <options> <host:/mount_target> <mount_point>

      See the following example.

      mkdir /mnt/test
mount -t nfs4 -o rw,sec=sys 10.20.30.40:/ea90ea14_0a1b_4f36_85c0_1cf83a2c8065 /mnt/test