IBM Cloud Docs
Accessing VPC zonal file storage shares from Virtual Server Instances in VPC

Accessing VPC zonal file storage shares from Virtual Server Instances in VPC

This tutorial might incur costs. Use the Cost Estimator to generate a cost estimate based on your projected usage.

In this tutorial, you learn how to mount a file share on Virtual server instance in VPC.

The following architecture overview diagram illustrates this scenario.

A diagram that shows the architecture for accessing File Storage for VPC.
Architecture overview diagram

Before you begin

  • Create a VPC or use an existing one.
  • Create a subnet in the VPC for your preferred zone.
  • Create an IBM Power Virtual Server workspace in the IBM Cloud region.
  • Create a Transit Gateway and attach the VPC subnet and the IBM Power Virtual Server workspace to the Transit Gateway.
  • Check the user permissions. Make sure that your user account has permissions to create and manage VPC resources. See Granting user permissions for VPC resources.
  • Use or create an SSH key to connect to the virtual server instances. If you don't have an SSH key, see Getting started with SSH keys.

Creating a security group to allow NFS V4 traffic

Create a security group and configure inbound rules for port 2049.

  1. Go to Security groups for VPC and click Create.
  2. Verify or set the Geography and Region fields.
  3. Enter nfs-server-sg for the Name.
  4. Select the same Resource group as the VPC resource group.
  5. Select your VPC in the Virtual private cloud list.
  6. Create an inbound rule for each virtual server instance (NFS client).
    1. In the Inbound rules section, click Create.
    2. Configure the rule as follows:
      • Protocol: Select TCP.
      • Port: Select Port range, and enter 2049 for both Port min and Port max.
      • Source type: Select IP or CIDR.
        • Enter the IP address of each virtual server instance.
        • If your instances are in a subnet and you want to allow access from all members of the subnet, enter the subnet's CIDR block.
      • Destination type: Select Any.
    3. Configure the rule as follows in addition to above when provisioning a mount target with in-transit encryption EIT:
      • Protocol: Select TCP.
      • Port: Select Port range, and enter 20049 for both Port min and Port max.
      • Source type: Select IP or CIDR.
        • Enter the IP address of each virtual server instance.
        • If your instances are in a subnet and you want to allow access from all members of the subnet, enter the subnet's CIDR block.
      • Destination type: Select Any.
    4. Click Create to save the rule.
  7. Create a common outbound rule.
    1. In the Outbound rules section, click Create.
    2. Configure the rule as follows:
      • Protocol: Select TCP.
      • Port: Select Any.
      • Destination type: Select Any.
      • Source type: Select Any.
    3. Click Create to save the rule.
  8. Finalize the security group.
    • Click Create security group to apply the configuration.

Provisioning a file storage share

The availability cannot be modified after provisioning.

The encryption setting of a mount target cannot be modified after it has been created. To change the encryption, you must delete the existing mount target and recreate it. This process does not affect the underlying data, and no data will be lost.

  1. Go to File storage shares for VPC.
  2. Click Create > Create file share.
  3. In the Availability section, choose Single Zone availability.
  4. In the Location section, select the same Geography, Region, and Zone as the virtual private cloud.
  5. Enter nfs-server in the Name field. Select the same Resource group as the VPC resource group.
  6. In the Size section, enter the Storage size in GB.
  7. Enter a Max IOPS value.
  8. In the Mount target access mode section, select Security groups.
  9. In the Mount targets (optional) section, click Create.
    • Enter nfs-server-mount-targetin the Mount target name field.
    • Select your VPC.
    • In the Network interfaces section, click the pencil icon on the new interface.
    • Verify the selected subnet and click Next.
    • In the Security groups section, check the nfs-server-sg security group, clear the VPC default security group, and click Next.
    • Click Next to get to the Review section, then click Save.
    • Back on the Create mount target screen, click Next.
    • Encryption in transit is disabled by default. If required click the toggle to change the preset value. For more information about this feature, see Encryption in transit - Securing mount connections between file share and host.
    • In the Review step, click Create.
  10. Click Create file share to provision the file storage and the mount target.

Gathering the file storage IP address and mount path information

  1. Go to File storage shares for VPC.
  2. Click the Name nfs-server.
  3. In the Mount targets section, click the Name of the mount target in the VPC to view the mount target details.
  4. Make a note of the Mount path. In the example, the mount path is 10.20.30.40:/73a1ff96_4861_4463_aa09_8c8128b8e277fsf. The first part of the mount path is the Primary IP of the mount target: 10.20.30.40 .

The Mount path parameter is used as an argument to the mount command on the Virtual server instance in VPC.

Mounting the file share on the VPC Virtual server instance

Log on as the root user to the server instance in VPC where you want to mount the file share.

  • Mounting when not using in-transit encryption

    1. Install the NFS client packages on the instance.

      dnf install nfs-utils

    2. Create a directory for the mount point.

      mkdir <mount_point>

    3. Mount the remote file share.

      mount -t nfs4 -o <options> <host:/mount_target> <mount_point>

      See the following example.

      mkdir /mnt/test
mount -t nfs4 -o rw,sec=sys 10.20.30.40:/ea90ea14_0a1b_4f36_85c0_1cf83a2c8065 /mnt/test