Create a Filestore instance with Private Service Connect

The following guide shows you how to configure your Filestore instances to use Private Service Connect with NFSv3 or NFSv4.1 file system protocols.

About Private Service Connect

Private Service Connect allows consumers to access managed services privately from inside their VPC network. Private Service Connect requires the consumer to provision a single internal IP address in its own Virtual Private Cloud to create a Private Service Connect endpoint, instead of allocating an entire IP address range to facilitate the connection. This single IP address is all that's required from the consumer's IP space to access the Filestore instance.

For shared Shared VPC configurations, where the Private Service Connect endpoint is provisioned in the VPC host project, the service connection policy scope must allow the host project.

Connection policies

To create a Private Service Connect endpoint on the consumer target network, you must create a service connection policy in your project. Creating such a connection policy allows separating the permissions for creating a Filestore instance and allocating networking resources, such as Private Service Connect resources and IP addresses for them. Creating a service connection policy enables the automatic creation of an endpoint in the subnet with a private IP address.

Create a Filestore instance that uses Private Service Connect

Create a Filestore instance that uses Private Service Connect for network connections.

Before you begin

Verify if you have enough quota. Instance quota ranges by the region location and service tier you want to use. To increase available quota, you must submit a quota increase request.
Ensure you have enabled the following APIs:

Create a Filestore instance

Create a Filestore instance using Google Cloud console or Google Cloud CLI.

Google Cloud console

In the Google Cloud console, go to the Filestore Instances page.

Go to Instances
Click Create instance.
Specify the basic parameters of the instance:
- In the Instance ID field, type the name you want to use for your Filestore instance.
- For Instance type, select Regional or Zonal service tier.
  
  To create an enterprise instance, you must use Filestore API or Google Cloud CLI.
- For Capacity, first select the capacity range, and then enter the capacity you want to use. You must use a value between 1 TB and 10 TB, in increments of 256 GiB (0.25 TiB).
- For Region, use the list to select the region you want to deploy your instance in.
- For Protocol, select NFSv3 or NFSv4.1, depending on the network protocol you want to use.
- For Network IP stack type select IPv4 or IPv6. Filestore with Private Service Connect IPv6 support lets you choose either an IPv4 or IPv6 endpoint per service attachment. If you select IPv6 and you also want to configure access control, the IP address or range field will be validated for IPv6 CIDR notation.
- In the VPC Network field, select the network you want to use for the Filestore instance and NFS clients. The selected network must have a valid service connection policy to connect with the instance using Private Service Connect. If such a policy doesn't exist, you must create one. Use the following instructions to create a policy.
  How to create a service connection policy
  
  When creating a Filestore instance you must either use a VPC network that already has a connection policy in place or create the connection policy as part of the instance creation workflow. This section explains how to create a service connection policy for the VPC network.
  1. In VPC Network, select the network. If the connection policy doesn't exist for the selected network, click Create service connection policy.
  2. In the Policy name field, add the name for the service connection policy.
  3. Optional: In the Description field provide a short description of your policy.
  4. The Source service scope and Target endpoints scope fields are populated with information you provided when creating the instance.
  5. In the Subnetworks field, select subnets used for the Filestore service endpoints. Subnets are IP address ranges the services can use to access the Filestore instance. For more information on using subnets with Private Service Connect, see Purposes of subnets
  6. Optional: In the Connection limit field, The limit determines how many endpoints can be created by using this connection policy. If omitted, there is no limit.
  7. Click Create policy to finish. Continue to create the instance or review your policy in Private Service Connect.
- In the File share name field, enter the name of the NFS file share that is served from the instance.
Click Create to create the instance.

gcloud

If you already have the gcloud CLI installed, you can update it:
```
gcloud components update
```
Create a Filestore zonal, regional, or enterprise instance:
```
 gcloud beta filestore instances create INSTANCE-ID \
 --description="DESCRIPTION" \
 --region=LOCATION \
 --tier=TIER \
 --protocol=PROTOCOL \
 --file-share=name="FILE_SHARE_NAME",capacity=CAPACITY \
 --network=name="VPC_NETWORK_NAME",connect-mode=CONNECT_MODE, address-mode=ADDRESS_MODE, psc-endpoint-project="PSC_ENDPOINT_PROJECT",
 --project=CONSUMER_PROJECT_ID
```
Where:
- INSTANCE_ID is the instance ID of the Filestore instance that you want to create. See Name your instance.
- DESCRIPTION is a description for the instance you want to use.
- LOCATION is the location where you want the Filestore instance to reside.
- TIER is the service tier you want to use. It can be zonal, regional or enterprise.
- PROTOCOL is NFS_v3 or NFS_v4_1.
- FILE_SHARE_NAME is the name you specify for the NFS file share that is served from the instance.
- CAPACITY is the size you want for the file share, between 1 TiB to 10 TiB.
- VPC_NETWORK_NAME is the name of the VPC network you want the instance to use. If you want to specify a Shared VPC from a service project, you must specify the fully-qualified network name, in the following format:
```
projects/HOST_PROJECT_ID/global/networks/SHARED_VPC_NAME
```
  You can't specify a legacy network as the VPC_NETWORK_NAME value. If necessary, create a new VPC network to use by following the instructions in Create an auto mode VPC network.
- CONNECT_MODE is PRIVATE_SERVICE_CONNECT.
- ADDRESS_MODE is the internet protocol version for which the instance has IP address assigned. Filestore with Private Service Connect IPv6 support lets you choose either an IPv4 or IPv6 endpoint per service attachment.
- PSC_ENDPOINT_PROJECT is an optional name of the service project, where Private Service Connect endpoint is created. You can specify PSC_ENDPOINT_PROJECT if you are using Private Service Connect with Shared VPC. For more information, see Create an instance on a Shared VPC network in service projects.
- CONSUMER_PROJECT_ID is the project ID of the project that contains the Filestore instance.

Example

The following command creates an instance with the following characteristics:

Instance ID is my-instance.
Project is my-project.
Region is us-central1.
Tier is REGIONAL.
File share name is my_vol.
Capacity is 1024.
VPC network is default.
Protocol is NFS_v4_1.
Connect mode is PRIVATE_SERVICE_CONNECT.
Address mode is MODE_IPV6.

gcloud filestore instances create my-instance \
    --project="my-project"
    --region=us-central1 \
    --tier=REGIONAL \
    --protocol=NFS_v4_1
    --file-share=name="my_vol", capacity=1024
    --network=name=projects/host/global/networks/default,connect-mode="PRIVATE_SERVICE_CONNECT", address-mode="MODE_IPV6"

What's next

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-01-28 UTC.