Restrict Client Access by IP Address or IP Range

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Filestore console available at https://console.cloud.google.com/filestore/.

04 In the left navigation panel, choose Instances to access the list of Google Cloud Filestore instances provisioned for the selected GCP project.

05 Click on the ID (link) of the Filestore instance that you want to examine. A Filestore instance is a fully-managed, network-attached storage system that you can use with Compute Engine and Kubernetes Engine instances.

06 Select the OVERVIEW tab to view the configuration information available for the selected instance.

07 Check the Access control attribute value to determine the access level configured for your instance. If the Access control attribute value is set to Allow all, the client access to the selected Filestore instance is unrestricted and not limited to specific IP addresses or IP address ranges.

08 Repeat step no. 5 - 7 for each Filestore instance available within the selected GCP project.

09 Repeat steps no. 2 - 8 for each GCP project deployed within your Google Cloud account.

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDs:

PROJECT_ID
cc-web-project-123123
cc-cloudai-project-112233

03 Run filestore instances list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to list the Google Cloud Filestore instances deployed to the selected project:

gcloud filestore instances list
	--project cc-web-project-123123
	--format="default(name)"

04 The command request should return the requested instance IDs (i.e., fully qualified identifiers):

name: projects/cc-web-project-123123/locations/us-central1-a/instances/cc-gce-filestorage-instance
name: projects/cc-web-project-123123/locations/us-central1-a/instances/cc-web-filestorage-instance

05 Run filestore instances describe command (Windows/macOS/Linux) with the ID of the Filestore instance that you want to examine as the identifier parameter, to determine if client access to the selected instance is restricted by IP address or IP range:

gcloud filestore instances describe "projects/cc-web-project-123123/locations/us-central1-a/instances/cc-gce-filestorage-instance"
	--format="default(fileShares[].nfsExportOptions)"

06 The command output should return the IP-based access control rules configured for the selected instance:

null

07 Repeat steps no. 5 and 6 for each Filestore instance available in the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Filestore console available at https://console.cloud.google.com/filestore/.

04 In the left navigation panel, choose Instances to access the list of Google Cloud Filestore instances provisioned for the selected GCP project.

05 Click on the ID (link) of the Filestore instance that you want to configure and choose EDIT to modify the instance configuration.

06 In the Edit share section, perform the following actions:

1. For Access control, select Restrict access by IP address or range. This removes access from all clients and enable root squash for all clients by default.
2. Provide the IP address or IP address range of the trusted, authorized client in the IP address or range 1 box and choose the necessary access level from the Access 1 dropdown list. There are four levels of access: Viewer: read only access, root squash enabled, Editor: read-write access, root squash enabled, Admin Viewer: read only access, root squash disabled, and Admin: read-write access, root squash disabled. The best practice is to assign an Admin level so at least one user is excluded from root squash.
3. If required, choose ADD RULE and add as many access control rules as needed.

07 Choose SAVE to apply the configuration changes and enable IP-based access control for the selected Filestore instance.

08 Repeat step no. 5 - 7 for each Filestore instance that you want to configure, available within the selected GCP project.

09 Repeat steps no. 2 - 8 for each GCP project available within your Google Cloud account.

01 To implement IP-based access control for your Google Cloud Filestore instances, you must first add the necessary access control rules to the "nfs-export-options" configuration object. For "ip-ranges", specify the trusted, authorized IP address or range to grant access to. Use commas to separate multiple IP addresses or ranges. For "access-mode", specify the access level for clients in the "ip-ranges". There are four levels of access: Viewer (READ_ONLY): read only access, root squash enabled, Editor (READ_WRITE): read-write access, root squash enabled, Admin Viewer (READ_ONLY): read only access, root squash disabled, and Admin (READ_WRITE): read-write access, root squash disabled. The best practice is to assign an Admin level so at least one user is excluded from root squash. For "squash-mode", use ROOT_SQUASH or NO_ROOT_SQUASH. ROOT_SQUASH removes root access level for clients in the "ip-ranges", while NO_ROOT_SQUASH enables root access. For anon_uid and anon_gid, specify the user ID and group ID that want to map to anon_uid and anon_gid. For more details about IP-based access control configuration, check the Filestore official documentation. Once the access rules are defined, save the configuration rules to a JSON file named cc-access-control-rules.json:

{
	"--file-share":
	{
		"capacity": "1024",
		"name": "cc_fileshare",
		"nfs-export-options": [
			{
				"access-mode": "READ_WRITE",
				"ip-ranges": [
					"10.20.30.40/32"
				],
				"squash-mode": "NO_ROOT_SQUASH"
			},
			{
				"access-mode": "READ_ONLY",
				"ip-ranges": [
					"10.0.0.0/24"
				],
				"squash-mode": "ROOT_SQUASH",
				"anon_uid": 1009,
				"anon_gid": 1009
			}
		]
	}
}

02 Run the filestore instances update command (OSX/Linux/UNIX) with the ID of the Filestore instance that you want to configure as the identifier parameter, to enable IP-based access control for the selected instance. Use the --flags-file command parameter to specify the configuration file with the access control rules defined for your instance (in this case, cc-access-control-rules.json):

gcloud filestore instances update "projects/cc-web-project-123123/locations/us-central1-a/instances/cc-gce-filestorage-instance"
	--flags-file=cc-access-control-rules.json

03 The command output should return the update operation status:

Waiting for [operation-123456789012-abcd1234abcd-1234abcd-1234abcd] to finish... done.

04 Repeat steps no. 1 - 3 for each Filestore instance that you want to configure, available in the selected GCP project.

05 Repeat steps no. 1 – 4 for each GCP project available in your Google Cloud account.