CAS deployments support the use of several managed services to provide key functionality such as an Active Directory domain and SMB file shares. These services rely on Google Cloud's Service Networking API to establish connectivity between your deployment's GCP project and the service.
As a security precaution, the Service Networking API does not permit different services to communicate with one another; in other words, all traffic from a service must terminate within the GCP project that is connected to the service.
When using NetApp Cloud Volume Service (CVS), the managed file share must communicate with Active Directory in order to support file and folder permissions using Active Directory identities. This communication is not possible when using Google Managed Service for Microsoft Active Directory (Google Managed AD) because the network traffic attempts to traverse two separate service networks.
As a workaround for this limitation, CAS deployments that use both CVS and Google Managed AD will contain several additional networking components to properly route network traffic between the service networks.
Developed with consultation with Google, itopia's Service Networking Interoperability workaround is composed of the following:
- Two small GCE VM instances deployed within the GCP project. These VM instances run Linux and act as "packet forwarders". The VM instances are named xxxrtr001 and xxxrtr002, where xxx is the CAS deployment ID.
- Two static network routes to direct network traffic destined for each service network's subnet through the "router VMs". These routes are exported to both service networks, so that any traffic that a service attempts to send to the other service is routed to the router VMs, which then "forward" the traffic to the other service and return it back to the origin service.
- Firewall rules to permit only the necessary traffic to and from each service
These components are only created when a deployment is created using both CVS and Google Managed AD. Additionally, the custom routes are only used by the service networks; regular traffic from infrastructure VMs directly traverses the VPC peering and does not use the router VMs.
The diagram below illustrates this configuration; note that the subnets listed are provided for example and may be different in each deployment.
- Administrators should not delete or modify any of the components associated with this workaround. Router VMs should remain running at all times.
- There is currently no way for an administrator to re-create a router VM if needed. Please contact itopia Support if issues are encountered with Cloud Volume connectivity to Managed AD.