Use Google Cloud NetApp Volumes as a vSphere Datastore in VMware Engine
This document describes how to use Google Cloud NetApp Volumes NFS storage with Standard, Premium, and Extreme service levels as an external Datastore for ESXi hosts in Google Cloud VMware Engine. To use Google Cloud NetApp Volumes as a Datastore, you must create Google Cloud NetApp Volumes volumes in the same region as the vSphere cluster and then mount them as external Datastores to existing ESXi hosts in VMware Engine. This solution provides data protection through crash-consistent snapshots and cross-region replication.
For an overview of NFS Datastores, including prerequisites and benefits, see NFS Datastores overview.
The following diagram shows NetApp Volumes being used with VMware Engine and Compute Engine:
The preceding diagram illustrates using Google Cloud NetApp Volumes as an external Datastore for VMware Engine. A VPC Network Peering connection exists between your VPC network and the VMware Engine network (VEN). Another VPC Network Peering connection exists between the VEN and the Google Cloud NetApp Volumes service network where the NFS volume resides. The Google Cloud NetApp Volumes volume is mounted as an NFS Datastore on the ESXi hosts in the VMware Engine private cloud.
Limitations
In addition to the limitations described in NFS Datastores overview, the following limitations apply to Google Cloud NetApp Volumes Datastores:
- Supported service levels: VMware Engine supports only volumes with Standard, Premium, or Extreme service levels. Flex service-level volumes are not certified by NetApp for use with vSphere Datastores.
- VAAI: Copy offload (VAAI) is not supported.
Before you begin
Before you mount an external NFS volume as a Datastore, you must do the following:
- VPC Peering: An active VPC Network Peering connection must exist between the NFS volume's VPC network and the VMware Engine network (VEN) of the private cloud where you plan to mount the Datastore.
- Service subnet: You must have a dedicated service subnet with a unique
CIDR range allocated for NFS traffic. Configure at least a
/26CIDR for the VMware Engine service network for external NFS storage. This subnet must be used exclusively for NFS Datastores, but the same service subnet can be used for multiple NFS Datastores. - Delete protection: You must enable delete protection on the volume to prevent accidental deletion and data loss.
Permissions
To mount Google Cloud NetApp Volumes volumes as external Datastores, the VMware Engine service agent requires specific IAM roles. Grant the following roles to the service agent:
roles/netapp.viewer: To allow VMware Engine to access Google Cloud NetApp Volumes volumes.roles/compute.networkViewer: To allow VMware Engine to view network peerings.
Use the following gcloud CLI commands to grant these roles:
gcloud projects add-iam-policy-binding NETAPP_PROJECT_ID \
--member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-vmwareengine.iam.gserviceaccount.com \
--role=roles/netapp.viewer
gcloud projects add-iam-policy-binding NETAPP_PROJECT_ID \
--member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-vmwareengine.iam.gserviceaccount.com \
--role=roles/compute.networkViewer
Replace the following:
NETAPP_PROJECT_ID: The project ID where your Google Cloud NetApp Volumes volume resides.PROJECT_NUMBER: The project number where VMware Engine is enabled.
Get VPC network details
When you create a peering connection between VMware Engine and NetApp Volumes, you need some details about the VPC network used by NetApp Volumes. To get these details, do the following:
In the Google Cloud console, go to the VPC networks page.
Click the VPC network that is peered with NetApp Volumes.
Click the VPC network peering tab.
Select the peering connection to the NetApp Volumes tenant project. The connection name is typically
sn-netapp-prod.Copy the Peered project ID (e.g.,
netapp-tenant-project-tp) and the Peered VPC network name.
Create a peering connection for legacy networks
To establish a connection between VMware Engine and NetApp Volumes or Filestore services, make a one-time peering between tenant host projects. If you created your VMware Engine project and private clouds before Nov 12, 2023, you are using an earlier version of the VMware Engine network. For environments using an earlier version of VMware Engine network, do the following:
In the Google Cloud console, go to the Private connections page.
Click Select a project and then select the organization, folder, or project where you want to create the peering connection.
Click Create.
In Private connection name, provide a name for your peering, for example,
peering-2-netapp-volumes.In VMware Engine network, specify the VMware Engine network you want to peer, for example,
us-central1-default.For Private connection type, select Third party service.
In Peered project ID, enter the peered project ID of the NetApp Volumes that contains your volume.
In Peered VPC network, enter the name of the peered VPC network that volume is in.
Click Create.
Expect the VPC peering status of your new private connection to stay in the Inactive state for up to 72 hours while VMware Engine services and validates the peering request.
Create a peering connection
If your VMware Engine project and private clouds were created after Nov 12, 2023, do the following. For more information on how to create VPC peerings for such environments, see Peer a VPC network.
In the Google Cloud console, go to the VPC Network peerings page.
Click Select a project and then select the organization, folder, or project where you want to create the peering connection.
Click Create.
In the Name field, provide a name for your networking peering. For example,
peering-2-netapp-volumes.In the VMware Engine network section, keep the default "In current project" selected. Specify the VMware Engine network you want to peer, for example
ven1.For Peering, select Google Cloud NetApp Volumes.
In the Service tenant project ID field, enter the peered project ID of the Google Cloud project containing your volume.
In the Route exchange section, keep the default settings.
Click Create.
After the VPC Peering is established, route propagation to the vSphere nodes can take up to 20 minutes.
Note that peering connects two networks. It's your responsibility to avoid any overlapping routes, as peering doesn't prevent overlaps in dynamic routes.
Create Google Cloud NetApp Volumes volumes
When you create a Google Cloud NetApp Volumes volume for use as a VMware Engine Datastore, ensure that the volume export rule allows the following:
- Access from the service subnet range you created earlier under Authorized applications.
- Read and write access
- Root access
Mark a volume as non-deletable
As mentioned in the prerequisites, before you can mount a Google Cloud NetApp Volumes volume as an external NFS Datastore, you must enable delete protection. When delete protection is enabled on a volume, it prevents the volume from being deleted by any user, thus protecting it from accidental deletion.
To enable delete protection, use a Google Cloud CLI command to restrict the delete action on the volume. For instructions, see Prevent volume deletion.
After creating the volume, you can perform various volume management functions by using the NetApp Volumes UI/API/CLI. For more information, see Volumes overview.
Mount the volume as a Datastore
After you create your Google Cloud NetApp Volumes volume and configure prerequisites, you can mount the volume as a Datastore by using the VMware Engine API.
After VMware Engine mounts the Datastore, it becomes available, and you can use the vCenter UI to provision VMs against the external Datastore, view metrics, and view logs related to I/O operations performed against the external Datastore.
For more information about NetApp Volumes, see What is Google Cloud NetApp Volumes.
API and gcloud CLI workflow
For details on using the API or gcloud CLI to manage Datastores, see Manage NFS volumes as vSphere Datastores in VMware Engine.