Migrating from VPC access control mode to security group access control mode

The VPC access control mode for zonal file shares is deprecated and scheduled to reach End of Support on 06 May 2027. If you have file shares that use the VPC access control mode, you must migrate them to security group access control mode before the End of Support date.

The VPC access control mode allows all virtual server instances and bare metal servers in a VPC to access a file share. The security group access control mode provides more granular control by restricting access to specific compute resources based on security group rules. Security group access control mode also supports additional features such as encryption in transit, cross-zone mounting, and snapshots.

Before you begin

Before you migrate your file shares from VPC access control mode to security group access control mode, review the following requirements:

Ensure that you have the necessary IAM permissions to manage file shares and mount targets.
Identify all file shares in your account that use VPC access control mode.
Plan your security group configuration to ensure that authorized compute resources can access the file share after migration.
Schedule a maintenance window for the migration, as the file share is temporarily unavailable during the process.

Migration overview

The migration process involves the following steps:

Unmount the file share from all compute hosts
Delete all mount targets from the file share
Delete replica file shares (if applicable)
Update the access control mode to security group
Create new mount targets with security group access
Recreate replica file shares (if applicable)
Mount the file share on compute hosts

Step 1: Unmount the file share from all compute hosts

Before you can delete the mount targets, you must unmount the file share from all virtual server instances and bare metal servers where it is currently mounted.

First, identify the file shares that use VPC access control mode. You can list all file shares, then filter the results to show only shares with access_control_mode set to vpc by using the CLI or the API.

If your environment supports JSON output, you can use jq to filter the output of ibmcloud is shares:

ibmcloud is shares --output json | jq '.[] | select(.access_control_mode == "vpc") | {id, name, access_control_mode}'

Make a GET /shares request and pipe the JSON response to jq:

curl -s -X GET "$vpc_api_endpoint/v1/shares?version=2026-04-28&generation=2" \
  -H "Authorization: Bearer $iam_token" | jq '.shares[] | select(.access_control_mode == "vpc") | {id, name, access_control_mode}'

After you identify the shares that use VPC access control mode, connect to each compute host where those shares are mounted, and run the umount command with the mount point name. For example:

umount /mnt/my-file-share

For more information about unmounting file shares on different operating systems, see Mounting and unmounting file shares.

Step 2: Delete all mount targets from the file share

After unmounting the file share from all compute hosts, delete all mount targets associated with the file share. You must delete all mount targets before you can update the access control mode.

Deleting mount targets in the console

In the IBM Cloud console, click the Navigation menu icon > Infrastructure > Storage > File storage shares.
Select the file share that you want to migrate from the list.
On the File share details page, locate the mount target that you want to delete in the Mount targets section.
Click the Actions icon and select Delete.
Repeat steps 3-4 for each mount target associated with the file share.

For more information, see Deleting mount target of a file share in the console.

Deleting mount targets from the CLI

Run the share-mount-target-delete command for each mount target associated with the file share. You can use either the mount target name or ID.

ibmcloud is share-mount-target-delete SHARE_ID MOUNT_TARGET_ID

Where:

SHARE_ID is the ID or name of the file share.
MOUNT_TARGET_ID is the ID or name of the mount target to delete.

Example:

ibmcloud is share-mount-target-delete my-file-share my-mount-target

When prompted, type y to confirm the deletion. Repeat this command for each mount target associated with the file share.

For more information, see Deleting a mount target of a file share from the CLI.

Deleting mount targets with the API

Make a DELETE /shares/{share_id}/mount_targets/{mount_target_id} request to delete each mount target associated with the file share.

curl -X DELETE \
"$vpc_api_endpoint/v1/shares/$share_id/mount_targets/$mount_target_id?version=2026-04-28&generation=2" \
-H "Authorization: Bearer $iam_token"

Repeat this request for each mount target associated with the file share.

For more information, see Deleting a mount target with the API.

Deleting mount targets with Terraform

To delete a mount target with Terraform, remove the ibm_is_share_mount_target resource from your Terraform configuration file, then run terraform apply.

# Remove or comment out the mount target resource
# resource "ibm_is_share_mount_target" "example" {
#   share = ibm_is_share.example.id
#   name  = "my-mount-target"
#   vpc   = ibm_is_vpc.example.id
# }
```## Step 3: Delete replica file shares (if applicable)
{: #fs-migrate-delete-replica}

If your file share has a replica file share, you must delete the replica before you can update the access control mode of the source file share. The replication relationship must be removed first, which creates two independent file shares. Then, you can delete the replica file share and its mount targets.

If your file share does not have a replica, skip this step and proceed to [Step 4: Update the access control mode to security group](#fs-migrate-update-mode).
{: tip}

### Removing the replication relationship in the console {: #fs-migrate-delete-replica-ui ui}

1. In the [IBM Cloud console](/login){: external}, click the **Navigation menu** icon ![menu icon](../icons/icon_hamburger.svg) **> Infrastructure** ![VPC icon](../icons/vpc.svg) **> Storage > File storage shares**.
2. Click the name of the source file share to go to its details page.
3. In the **File share replication relationship** section, click **Remove replication relationship**.
4. In the confirmation window, click **Unlink**. The replication relationship is removed, creating two independent file shares.
5. After the replication relationship is removed, delete the mount targets of the replica file share by following the same steps as in [Step 2: Delete all mount targets from the file share](#fs-migrate-delete-targets).
6. Return to the list of file shares, select the replica file share, click the **Actions** icon ![Actions icon](../icons/action-menu-icon.svg "Actions"), and select **Delete**.
7. Confirm the deletion when prompted.

For more information, see [Removing the replication relationship in the console](/docs/vpc?topic=vpc-file-storage-manage-replication&interface=ui#fs-remove-replication-ui) and [Deleting replica and source file shares](/docs/vpc?topic=vpc-file-storage-manage-replication#fs-delete-replicas).

### Removing the replication relationship from the CLI {: #fs-migrate-delete-replica-cli cli}

1. List your file shares to identify the replica file share:

   ```sh {: pre}
   ibmcloud is shares

Look for the file share with replica in the Replication role column.

Remove the replication relationship by running the share-replica-split command with the replica file share ID:
```
ibmcloud is share-replica-split REPLICA_SHARE_ID
```
Where REPLICA_SHARE_ID is the ID or name of the replica file share.

Example:
```
ibmcloud is share-replica-split my-replica-file-share
```
When prompted, type y to confirm the split operation.
After the replication relationship is removed, delete the mount targets of the replica file share:
```
ibmcloud is share-mount-target-delete REPLICA_SHARE_ID MOUNT_TARGET_ID
```
Repeat for each mount target associated with the replica file share.
Delete the replica file share:
```
ibmcloud is share-delete REPLICA_SHARE_ID
```
When prompted, type y to confirm the deletion.

For more information, see Removing the replication relationship from the CLI.

Removing the replication relationship with the API

Remove the replication relationship by making a DELETE /shares/{replica_id}/source request:
```
curl -X DELETE \
"$vpc_api_endpoint/v1/shares/$replica_share_id/source?version=2026-04-28&generation=2" \
-H "Authorization: Bearer $iam_token"
```
A successful response indicates that the replication relationship was removed.

Delete the mount targets of the replica file share by making a DELETE /shares/{replica_id}/mount_targets/{mount_target_id} request for each mount target:

curl -X DELETE \
"$vpc_api_endpoint/v1/shares/$replica_share_id/mount_targets/$mount_target_id?version=2026-04-28&generation=2" \
-H "Authorization: Bearer $iam_token"

Delete the replica file share by making a DELETE /shares/{replica_id} request:

curl -X DELETE \
"$vpc_api_endpoint/v1/shares/$replica_share_id?version=2026-04-28&generation=2" \
-H "Authorization: Bearer $iam_token"

For more information, see Removing the replication relationship with the API.

Removing the replication relationship with Terraform

Use the ibm_is_share_replica_operations resource to split the source and replica shares:

resource "ibm_is_share_replica_operations" "split" {
  share_replica = ibm_is_share.replica.id
  split_share   = true
}

After the split operation completes, remove the replica file share and its mount targets from your Terraform configuration, then run terraform apply:

# Remove or comment out the replica share and its mount targets
# resource "ibm_is_share" "replica" {
#   ...
# }
# resource "ibm_is_share_mount_target" "replica_target" {
#   ...
# }

For more information, see Removing the replication relationship with Terraform.

For more information, see Deleting a mount target with Terraform.

Step 4: Update the access control mode to security group

After deleting all mount targets and any replica file shares, update the file share's access control mode from vpc to security_group.

Updating access control mode in the console

In the IBM Cloud console, click the Navigation menu icon > Infrastructure > Storage > File storage shares.
Select the file share that you want to migrate from the list.
On the File share details page, locate the Access control mode field.
Click the Edit icon ! next to the Access control mode field.
Select Security group from the dropdown menu.
Click Save.

Updating access control mode from the CLI

Run the share-update command with the --access-control-mode option set to security_group.

ibmcloud is share-update SHARE_ID --access-control-mode security_group

Where SHARE_ID is the ID or name of the file share.

Example:

ibmcloud is share-update my-file-share --access-control-mode security_group

Updating access control mode with the API

Make a PATCH /shares/{share_id} request with the access_control_mode property set to security_group.

curl -X PATCH \
"$vpc_api_endpoint/v1/shares/$share_id?version=2026-04-28&generation=2" \
-H "Authorization: Bearer $iam_token" \
-d '{
  "access_control_mode": "security_group"
}'

Updating access control mode with Terraform

Update the access_control_mode attribute in your ibm_is_share resource to security_group, then run terraform apply.

resource "ibm_is_share" "example" {
  name                = "my-file-share"
  zone                = "us-south-2"
  profile             = "dp2"
  size                = 1000
  iops                = 500
  access_control_mode = "security_group"
}

Step 5: Create new mount targets with security group access

After updating the access control mode, create new mount targets with security group access. The mount targets must be created with a virtual network interface that is associated with a security group.

Before you create the mount targets, ensure that you have a security group configured with rules that allow inbound access for the TCP protocol on the NFS port (2049) from all compute hosts where you want to mount the file share.

Creating mount targets in the console

In the IBM Cloud console, click the Navigation menu icon > Infrastructure > Storage > File storage shares.
Select the file share from the list.
On the File share details page, click Create in the Mount targets section.
Provide a name for the mount target.
Select the VPC where you want to create the mount target.
Configure the virtual network interface:
- Provide a name for the virtual network interface.
- Select the subnet where the mount target is created.
- Optionally, specify a reserved IP address, or let the system assign one automatically.
- Select the security group that controls access to the file share.
Optionally, enable encryption in transit if you want to protect data during transmission.
Click Create.

Repeat these steps to create mount targets for each VPC where you want to access the file share.

For more information, see Creating a mount target in the console.

Creating mount targets from the CLI

Run the share-mount-target-create command with the virtual network interface parameters.

ibmcloud is share-mount-target-create SHARE_ID \
  --name MOUNT_TARGET_NAME \
  --vpc VPC_ID \
  --vni-name VNI_NAME \
  --vni-subnet SUBNET_ID \
  --vni-sgs SECURITY_GROUP_ID

Where:

SHARE_ID is the ID or name of the file share.
MOUNT_TARGET_NAME is the name for the new mount target.
VPC_ID is the ID or name of the VPC.
VNI_NAME is the name for the virtual network interface.
SUBNET_ID is the ID or name of the subnet.
SECURITY_GROUP_ID is the ID or name of the security group.

Example:

ibmcloud is share-mount-target-create my-file-share \
  --name my-new-mount-target \
  --vpc my-vpc \
  --vni-name my-vni \
  --vni-subnet my-subnet \
  --vni-sgs my-security-group

For more information, see Creating mount targets from the CLI.

Creating mount targets with the API

Make a POST /shares/{share_id}/mount_targets request with the virtual network interface configuration.

curl -X POST \
"$vpc_api_endpoint/v1/shares/$share_id/mount_targets?version=2026-04-28&generation=2" \
-H "Authorization: Bearer $iam_token" \
-d '{
  "name": "my-new-mount-target",
  "virtual_network_interface": {
    "name": "my-vni",
    "subnet": {
      "id": "'"$subnet_id"'"
    },
    "security_groups": [
      {
        "id": "'"$security_group_id"'"
      }
    ]
  }
}'

For more information, see Creating mount targets with the API.

Creating mount targets with Terraform

Use the ibm_is_share_mount_target resource to create a mount target with a virtual network interface.

resource "ibm_is_share_mount_target" "example" {
  share = ibm_is_share.example.id
  name  = "my-new-mount-target"

  virtual_network_interface {
    name = "my-vni"
    subnet = ibm_is_subnet.example.id
    security_groups = [ibm_is_security_group.example.id]
  }
}

For more information, see Creating mount targets with Terraform.

Step 6: Recreate replica file shares (if applicable)

If you deleted a replica file share in Step 3, you can now recreate it with the updated security group access control mode. The new replica file share inherits the security group access control mode from the source file share.

If you did not have a replica file share, skip this step and proceed to Step 7: Mount the file share on compute hosts.

Creating a replica file share in the console

In the IBM Cloud console, click the Navigation menu icon > Infrastructure > Storage > File storage shares.
Select the source file share from the list.
On the File share details page, click the Actions icon and select Create replica.
On the File share replica create page, provide the following information:
- Name: Provide a unique name for the replica share.
- Replica location: Select the region and zone where you want to create the replica.
- Resource group: Select the resource group for the replica.
- Profile: The dp2 profile is preselected. Specify the maximum IOPS value.
- Mount targets: Optionally, create mount targets for the replica share with security group access.
- Sync frequency: Specify how often to synchronize changes from the source to the replica (hourly, daily, weekly, monthly, or cron-spec).
- Encryption: Configure encryption settings. For cross-region replication, you must select a customer root key if the source uses customer-managed encryption.
Click Create file share.

For more information, see Adding replication to a file share in the console.

Creating a replica file share from the CLI

Use the share-replica-create command to create a replica for your source file share:

ibmcloud is share-replica-create \
  --source-share SOURCE_SHARE_ID \
  --name REPLICA_NAME \
  --zone REPLICA_ZONE \
  --profile dp2 \
  --replication-cron-spec "CRON_SPEC"

Where:

SOURCE_SHARE_ID is the ID or name of the source file share.
REPLICA_NAME is the name for the new replica share.
REPLICA_ZONE is the zone where you want to create the replica.
CRON_SPEC is the replication frequency in cron format (for example, 30 17 * * * for daily at 5:30 PM).

Example:

ibmcloud is share-replica-create \
  --source-share my-file-share \
  --name my-replica-file-share \
  --zone us-south-1 \
  --profile dp2 \
  --replication-cron-spec "30 17 * * *"

For more information, see Creating a replica for an existing file share from the CLI.

Creating a replica file share with the API

Make a POST /shares request to create a replica file share:

curl -X POST \
"$vpc_api_endpoint/v1/shares?version=2026-04-28&generation=2" \
-H "Authorization: Bearer $iam_token" \
-d '{
  "name": "my-replica-file-share",
  "profile": {
    "name": "dp2"
  },
  "zone": {
    "name": "us-south-1"
  },
  "replication_cron_spec": "30 17 * * *",
  "source_share": {
    "id": "'"$source_share_id"'"
  },
  "size": 1000,
  "iops": 500
}'

For more information, see Creating a replica file share with the API.

Creating a replica file share with Terraform

Add an ibm_is_share resource for the replica to your Terraform configuration:

resource "ibm_is_share" "replica" {
  name    = "my-replica-file-share"
  zone    = "us-south-1"
  profile = "dp2"
  size    = 1000
  iops    = 500

  source_share            = ibm_is_share.source.id
  replication_cron_spec   = "30 17 * * *"
}

Then run terraform apply to create the replica.

For more information, see Creating replica file shares with Terraform.

Step 7: Mount the file share on compute hosts

After creating the new mount targets with security group access, mount the file share on your compute hosts using the new mount path.

To mount a file share, you need the mount path information. You can retrieve the mount path from the mount target details in the console, CLI, or API.

For detailed instructions on mounting file shares on different operating systems, see the following topics:

For a complete list of mounting instructions for all supported operating systems, see Mounting file shares.

Next steps

After completing the migration, verify that:

The file share is accessible from all authorized compute hosts.
Security group rules are properly configured to allow access.
Applications that use the file share are functioning correctly.
The mount is persistent across reboots (check /etc/fstab entries).

For more information about managing file shares, see Managing file shares and mount targets.