This chapter covers Google Cloud Filestore, a fully managed NFS file server for Compute Engine and GKE instances. Filestore is critical for migrating on-premises NFS workloads, shared file systems, and high-performance computing (HPC) scenarios. On the ACE exam, Filestore appears in roughly 5-8% of questions, typically in the context of choosing between block, file, and object storage for specific use cases, configuring access controls, and understanding performance tiers. This chapter will give you the exact technical details you need to ace those questions.
Jump to a section
Imagine a company with 100 employees, each with their own desk and computer. They need to share documents like contracts, spreadsheets, and reports. Instead of emailing files back and forth (which creates version chaos), they install a single large filing cabinet in the center of the office. This filing cabinet has multiple drawers, and each drawer has a lock with a key. The office manager (Filestore service) controls who gets keys to which drawers. When an employee wants to read a file, they walk to the cabinet, unlock the drawer, pull out the file, and read it at their desk. When they want to save changes, they walk back, lock the drawer, and the file is updated. Crucially, multiple employees can read the same file at the same time because the cabinet allows multiple copies of the file to be checked out simultaneously. However, if two employees try to edit the same file at the exact same moment, the filing cabinet uses a 'last writer wins' rule—the last person to put the file back overwrites the previous version. This is exactly how NFS works: the Filestore instance is the filing cabinet, the drawers are volumes (file shares), the keys are access permissions (IP-based or Kerberos), and the employees are Compute Engine instances or GKE pods. The 'last writer wins' behavior is the NFS protocol's lack of file locking by default, which can cause data corruption if multiple writers edit the same file concurrently. To prevent chaos, applications must use application-level locking or a distributed file system like Lustre (which Filestore also supports for high-performance computing).
What is Filestore and Why Does It Exist?
Filestore is Google Cloud's fully managed Network File System (NFS) service. It provides shared file storage that can be mounted by multiple Compute Engine VM instances and Google Kubernetes Engine (GKE) pods simultaneously, using the standard NFS protocol (NFSv3). The primary reason Filestore exists is to support legacy applications that require POSIX-compliant shared file systems—applications that cannot be easily refactored to use object storage (Cloud Storage) or block storage (Persistent Disk). Common use cases include:
Home directories for users
Shared data for media rendering or genomics workloads
Content management systems (e.g., WordPress with shared uploads)
HPC simulations requiring low-latency parallel file access
Filestore is not an object store; it is a file server with a directory hierarchy, symbolic links, and file-level locks (though NFSv3 locking is advisory). It is accessed via NFS mounts, typically using the mount command with options like hard,intr,vers=3,noatime.
How Filestore Works Internally
Filestore instances are provisioned in a Google-managed tenant project. Each instance has a private IP address (RFC 1918) within a VPC network of your choice. The instance runs an NFS server daemon (likely a custom implementation based on Linux NFS) that exports one or more file shares (called 'volumes'). When a client mounts the share, it uses the NFS protocol to perform remote procedure calls (RPCs) for file operations. The NFS protocol is stateless—the server does not track which clients have which files open; instead, each RPC contains the file handle and offset. This statelessness simplifies crash recovery but means that file locking (if used) requires a separate lock manager (NLM) service. Filestore supports NFSv3 with NLM for advisory locking, but it does not support mandatory locking.
Data is stored on Google's persistent storage backend (likely using Colossus, the same distributed file system that underlies Persistent Disk). Each Filestore instance is replicated synchronously within a single zone (zonal) or across two zones (regional, for higher availability). The performance tier determines the underlying hardware: HDD for capacity-optimized, SSD for performance-optimized, and high-scale SSD for large-throughput workloads. The instance's capacity and throughput are provisioned together—you choose a tier and a capacity (in GiB), and the baseline IOPS and throughput are determined by that capacity. For example, a 1 TiB Basic HDD instance provides 100 MB/s read throughput and 50 MB/s write throughput, while a 1 TiB High Scale SSD instance provides 1.2 GB/s read and 600 MB/s write.
Key Components, Values, Defaults, and Timers
Instance types: Basic HDD, Basic SSD, High Scale SSD, Enterprise (newer, with higher performance and regional availability).
Capacity range: 1 TiB to 100 TiB for Basic tiers; 2.5 TiB to 100 TiB for High Scale; Enterprise starts at 1 TiB.
Throughput: Scales linearly with capacity. For Basic HDD: 100 MB/s read + 50 MB/s write per TiB (baseline). For Basic SSD: 400 MB/s read + 200 MB/s write per TiB. For High Scale SSD: 1.2 GB/s read + 600 MB/s write per TiB.
IOPS: For Basic SSD, approximately 5000 IOPS per TiB (read) and 2500 IOPS per TiB (write).
Access controls: IP-based (by default) or Kerberos (if you enable security). IP-based access uses a list of allowed source IP ranges (CIDR blocks) on the instance. Kerberos requires a managed Microsoft Active Directory domain.
Mount options: Typical mount command:
sudo mount -o hard,intr,vers=3,noatime <FILESTORE_IP>:/<SHARE_NAME> /mnt/filestoreHard vs soft mount: Hard mount (default) retries indefinitely until the server responds; soft mount returns an error after a timeout (default 60 seconds). Hard mounts are recommended for data integrity but can cause processes to hang if the server is down.
Reserved ports: NFS uses port 2049 (TCP/UDP). Portmapper uses port 111.
File handle persistence: File handles are unique per file and persist across reboots; they are 64 bytes in size.
NFSv3 specifics: No support for byte-range locking (NLM is used for advisory locking). No support for change notification (no 'notify' mechanism).
Configuration and Verification Commands
To create a Filestore instance using gcloud:
gcloud filestore instances create <INSTANCE_NAME> \
--zone=<ZONE> \
--tier=BASIC_SSD \
--file-share=name=<SHARE_NAME>,capacity=<SIZE>TiB \
--network=name=<VPC_NAME>,reserved-ip-range=<CIDR>--network specifies the VPC network and an optional reserved IP range for the instance's private IP. If not specified, a /29 is automatically allocated.
To mount on a Linux VM:
sudo mkdir -p /mnt/filestore
sudo mount -o hard,intr,vers=3,noatime <FILESTORE_IP>:/<SHARE_NAME> /mnt/filestoreTo verify mount:
df -h | grep filestore
# or
mount | grep filestoreTo check NFS server exports:
showmount -e <FILESTORE_IP>To list active NFS mounts on client:
nfsstat -mInteraction with Related Technologies
Compute Engine: VMs mount Filestore via NFS. Network egress from VM to Filestore is free if both are in the same zone. Cross-zone or cross-region access incurs standard network costs.
GKE: Pods can mount Filestore volumes using a PersistentVolume (PV) with NFS. Example PV definition:
apiVersion: v1
kind: PersistentVolume
metadata:
name: filestore-pv
spec:
capacity:
storage: 1Ti
accessModes:
- ReadWriteMany
nfs:
path: /<SHARE_NAME>
server: <FILESTORE_IP>Cloud VPN / Interconnect: On-premises systems can mount Filestore over VPN or Dedicated Interconnect if the VPC network is connected. Latency will be higher; performance may degrade.
Cloud Run: Filestore cannot be mounted by Cloud Run (serverless) because it requires a kernel-level NFS client. Use Cloud Storage instead.
App Engine: Similarly, App Engine standard and flexible cannot mount NFS.
Data migration: Use rsync or gcloud filestore instances migrate (for regional to zonal or vice versa). For large datasets, use Transfer Service for on-premises or Cloud Storage as an intermediary.
Performance and Scaling Considerations
Filestore instances have a maximum throughput and IOPS that scale with capacity. However, there is also a per-instance ceiling: for Basic SSD, maximum read throughput is 1.2 GB/s (at 3 TiB), and for High Scale SSD, maximum is 10 GB/s (at 10 TiB). Beyond that, you need to create additional instances and distribute data. Write throughput is typically half of read throughput. Latency for Basic SSD is around 1-2 ms; for Basic HDD, 5-10 ms. For HPC workloads, High Scale SSD provides sub-millisecond latency.
Security and Access Control
By default, Filestore uses IP-based access control: you specify a list of allowed CIDR blocks. There is no authentication; any client within the allowed IP range can mount the share. For stronger security, you can enable Kerberos authentication, which requires a managed Microsoft AD domain. Additionally, you can use VPC firewall rules to restrict traffic to port 2049 from specific source ranges. Encryption at rest is always enabled (AES-256). Encryption in transit is not supported by NFSv3; data is unencrypted over the network. For encrypted transport, use a VPN tunnel or SSHFS as a workaround.
Backup and Disaster Recovery
Filestore does not have built-in snapshots (as of the latest API). However, you can back up data using rsync to Cloud Storage or another Filestore instance. For regional instances, data is replicated across two zones; if one zone fails, the instance continues serving from the other zone. For zonal instances, a zone failure means the instance is unavailable. There is no cross-region replication built-in; you must implement your own using rsync or a third-party tool.
Limitations
Maximum file size: 5 TiB per file (on Basic tiers; higher on Enterprise).
Maximum number of files per share: 100 million (for Basic tiers).
Maximum number of concurrent clients: 1000 (Basic), 5000 (High Scale).
No support for NFSv4 (only NFSv3).
No support for SMB/CIFS (use Filestore for Windows only via NFS client, which Windows supports).
No native integration with Cloud Audit Logs for file-level operations (only instance-level admin activities are logged).
Provision Filestore Instance
Use the Google Cloud Console, gcloud CLI, or Terraform to create a Filestore instance. Choose a zone (zonal) or two zones (regional), a tier (Basic HDD, Basic SSD, High Scale SSD, or Enterprise), and specify the file share name and capacity. The instance gets a private IP address from a reserved /29 CIDR range in your VPC network. This step determines the performance characteristics and cost. For exam scenarios, remember that tier and capacity directly affect throughput and IOPS. The instance creation typically takes 5-10 minutes.
Configure Access Control
After creation, you must configure which IP addresses are allowed to mount the share. By default, no IPs are allowed. You add allowed CIDR blocks via the console or gcloud. For Kerberos, you must first set up a managed AD domain and then enable Kerberos on the instance. IP-based access is simpler but less secure. On the exam, remember that IP-based access is the default and that Kerberos requires AD. Also note that you can use VPC firewall rules as an additional layer to restrict NFS traffic.
Mount on Client VM or GKE Pod
On a Linux VM, create a mount point directory (e.g., /mnt/filestore) and use the mount command with the instance IP and share name. Use options like `hard,intr,vers=3` for reliability. On GKE, define a PersistentVolume of type NFS and a PersistentVolumeClaim, then reference the claim in a pod. The mount happens at pod startup. If the mount fails, the pod may remain in ContainerCreating state. Verify with `df -h` or `mount`.
Read and Write Data
Once mounted, the share behaves like a local filesystem. Applications can read, write, create, delete files using standard POSIX calls. NFSv3 is stateless, so each RPC is independent. File locking is advisory—applications must use `flock` or `lockf` to coordinate. Without locking, concurrent writes can cause data corruption. The exam may test that NFSv3 does not support mandatory locking. Performance depends on the instance tier and capacity; monitor using `iostat` or Cloud Monitoring metrics.
Monitor and Scale
Monitor Filestore metrics like throughput, IOPS, and capacity usage via Cloud Monitoring. If performance degrades, you can increase capacity (which increases throughput) by updating the instance (requires a brief downtime). For Basic tiers, you can only increase capacity; you cannot decrease. For High Scale, you can also increase capacity. If you need more throughput than the maximum for a single instance, you must create multiple instances and distribute data. On the exam, know that scaling up capacity is the primary way to improve performance.
Enterprise Scenario 1: Media Rendering Farm
A video production company runs a render farm on Compute Engine. Each render node needs access to shared project files (models, textures, and output sequences). They use Filestore Basic SSD with 10 TiB capacity, providing 4 GB/s read and 2 GB/s write throughput. The render nodes mount the same share via NFS. The challenge is that hundreds of nodes read and write simultaneously, causing NFS lock contention. The solution is to use application-level locking (e.g., a job scheduler that assigns unique output filenames) and to avoid editing the same file concurrently. They also use noatime mount option to reduce metadata writes. In production, they monitor Cloud Monitoring for throughput spikes and increase capacity when the render queue grows. Misconfiguration: If they use soft mounts, a temporary network glitch causes render failures (error 5: Input/output error). They learned to use hard mounts with intr to allow interruption.
Enterprise Scenario 2: Shared Home Directories for Developers
A SaaS company with 500 developers uses Filestore to provide home directories across multiple Compute Engine instances. They use Basic HDD (cost-effective for infrequent access) with 5 TiB capacity. Each developer's home directory is a subdirectory under the share. They use IP-based access control, restricting to the VPC subnet. They also use Kerberos for authentication to prevent unauthorized mounts. The main issue is performance: when many developers compile code simultaneously, the HDD throughput becomes a bottleneck. They upgrade to Basic SSD. Another issue: accidental deletion of files by users. They implement periodic rsync backups to Cloud Storage every hour. The exam may test that Filestore does not have built-in snapshots, so external backup is required.
Enterprise Scenario 3: HPC Genomics Workload
A research institute runs large-scale genomics analysis using GKE. The pipeline requires reading large reference genomes (100s of GB) and writing intermediate results. They use Filestore High Scale SSD with 10 TiB capacity, providing 12 GB/s read throughput. They mount the share on GKE nodes using a PersistentVolume with ReadWriteMany access mode. The challenge is achieving low latency for small random reads. High Scale SSD delivers sub-millisecond latency. They also need to share data with on-premises servers via Dedicated Interconnect. The NFS mount over Interconnect works but adds 2-3 ms latency. They optimize by using local SSDs for scratch data and Filestore only for persistent shared data. Misconfiguration: They initially used a zonal instance, causing downtime when the zone failed. They switched to a regional instance for high availability. The exam may test that regional instances provide multi-zone redundancy but are more expensive.
What the ACE Exam Tests on Filestore
The ACE exam objective 2.2 (Planning Solutions) includes Filestore as a managed NFS option. Questions typically appear in the context of choosing the right storage service for a given workload. The exam focuses on: - Differentiating Filestore from Cloud Storage and Persistent Disk: Filestore is for shared POSIX file systems; Cloud Storage is for object storage; Persistent Disk is for block storage attached to a single VM. - Performance tiers and capacity: Know the throughput values per TiB for Basic HDD (100/50 MB/s), Basic SSD (400/200 MB/s), and High Scale SSD (1.2/0.6 GB/s). Remember that throughput scales linearly with capacity. - Access control: IP-based vs Kerberos. Default is IP-based. Kerberos requires managed AD. - NFS version: Only NFSv3 is supported (not v4). This is a common distractor. - Mount options: Hard vs soft mount. Hard is default and recommended for data integrity. Soft mount returns errors after timeout. - Limitations: No snapshots, no encryption in transit (NFSv3), max 1000 clients (Basic), max 5 TiB file size. - GKE integration: Use PersistentVolume of type NFS with ReadWriteMany.
Common Wrong Answers and Why Candidates Choose Them
'Filestore supports NFSv4': Candidates confuse Filestore with other NFS implementations. The exam explicitly tests that Filestore only supports NFSv3. If you see NFSv4 in an answer, eliminate it.
'Use Filestore for a single VM requiring high IOPS': Candidates think Filestore is faster than Persistent Disk. But Persistent Disk (SSD) can provide higher IOPS per VM (up to 100,000 IOPS for pd-extreme). Filestore is for *shared* access, not single-VM performance.
'Filestore provides snapshots': Many assume managed services include snapshots. Filestore does not. The exam may offer Cloud Storage as a backup solution.
'Filestore can be mounted by Cloud Run': Serverless services cannot mount NFS. The correct answer is Cloud Storage for serverless.
'Soft mount is always better': Candidates think soft mounts prevent hangs. But for data integrity, hard mounts are required; soft mounts can cause silent data loss.
Specific Exam Values and Terms
Tier names: BASIC_HDD, BASIC_SSD, HIGH_SCALE_SSD, ENTERPRISE.
Capacity range: 1 TiB to 100 TiB (Basic), 2.5 TiB to 100 TiB (High Scale).
Max clients: 1000 (Basic), 5000 (High Scale).
Max file size: 5 TiB.
NFS version: 3.
Port: 2049.
Mount option for retry: hard.
Edge Cases and Exceptions
Regional instances: Provide multi-zone availability but cost more. Exam may ask which to choose for high availability.
Cross-region access: Possible but incurs network costs and higher latency. Not recommended for performance-sensitive workloads.
Windows clients: Windows supports NFSv3, but configuration is complex (requires Services for NFS). The exam may mention that Windows can mount Filestore.
How to Eliminate Wrong Answers
If the question mentions 'shared file system' and 'POSIX', the answer is likely Filestore.
If the question mentions 'object storage' or 'REST API', eliminate Filestore.
If the question mentions 'snapshots' or 'versioning', eliminate Filestore.
If the question mentions 'high IOPS for a single VM', choose Persistent Disk, not Filestore.
If the question mentions 'serverless' or 'Cloud Run', choose Cloud Storage or a database.
Filestore is a fully managed NFSv3 file server for shared POSIX access from Compute Engine and GKE.
Performance tiers: Basic HDD (100/50 MB/s per TiB), Basic SSD (400/200 MB/s per TiB), High Scale SSD (1.2/0.6 GB/s per TiB).
Access control: IP-based (default) or Kerberos (requires managed AD).
Mount options: Use `hard,intr,vers=3,noatime`. Hard mount retries indefinitely; soft mount returns errors after timeout.
Limitations: No snapshots, no NFSv4, max 1000 clients (Basic), max file size 5 TiB, no encryption in transit.
For GKE: Use PersistentVolume with NFS type and ReadWriteMany access mode.
Backup: Use rsync to Cloud Storage; no built-in snapshot feature.
Scaling: Increase capacity to increase throughput; cannot decrease capacity.
These come up on the exam all the time. Here's how to tell them apart.
Filestore
POSIX-compliant file system with directory hierarchy
Access via NFSv3 (kernel mount)
Shared among multiple VMs and GKE pods
Supports file locking (advisory)
No built-in encryption in transit
Cloud Storage
Object storage with flat namespace (or hierarchical via prefixes)
Access via HTTP/HTTPS (REST API, gcloud, client libraries)
Globally accessible from anywhere
No file locking; eventual consistency for overwrites
Encryption in transit with HTTPS
Mistake
Filestore supports NFSv4
Correct
Filestore only supports NFSv3. NFSv4 features like delegation and compound operations are not available. The exam tests this distinction.
Mistake
Filestore provides automatic snapshots
Correct
Filestore does not have built-in snapshot capabilities. You must use rsync or third-party tools for backups. Cloud Storage is a common target.
Mistake
Filestore can be mounted by Cloud Run or App Engine
Correct
Serverless compute services cannot mount NFS. They use Cloud Storage or other HTTP-based storage. Only Compute Engine and GKE can mount Filestore.
Mistake
Filestore is faster than Persistent Disk for a single VM
Correct
Persistent Disk (SSD) can provide higher IOPS per VM (up to 100,000 for pd-extreme) compared to Filestore's shared throughput. Filestore is optimized for shared access, not single-VM performance.
Mistake
Soft mounts are always better because they prevent hangs
Correct
Soft mounts can cause silent data corruption because they return errors after timeout, leaving the application with incomplete writes. Hard mounts retry indefinitely, ensuring data integrity at the cost of potential process hangs.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, Windows supports NFSv3 as a client. You need to enable the 'Services for NFS' feature (in Windows Server) or install the 'Client for NFS' component. Then use the `mount` command with the Filestore IP and share name. However, Windows NFS client has limitations, such as no support for file locking in all scenarios. On the exam, remember that Filestore is primarily for Linux workloads, but Windows can mount it.
Persistent Disk is block storage attached to a single VM (or mounted as read-only by multiple VMs). Filestore is a file server that multiple VMs can read-write simultaneously. Persistent Disk offers higher IOPS per VM (up to 100,000 for pd-extreme) while Filestore provides shared access with lower per-client performance. Use Persistent Disk for databases or high-performance single-VM apps; use Filestore for shared files, home directories, or legacy NFS apps.
No, NFSv3 does not encrypt data in transit. Data is sent in plaintext over the network. To encrypt, you must use a VPN tunnel (e.g., Cloud VPN) between the client and the Filestore instance, or use an SSHFS tunnel. The exam may test that encryption in transit is not available natively.
Filestore does not have built-in snapshots. The recommended approach is to use `rsync` to copy data to Cloud Storage or another Filestore instance. You can also use third-party backup tools. For large datasets, consider using Transfer Service for on-premises data. On the exam, know that you must implement your own backup strategy.
No, Cloud Run is a serverless platform that does not support kernel-level NFS mounts. You must use Cloud Storage or a database for shared data. The exam often includes distractors suggesting Filestore for serverless workloads.
For Basic tiers, the maximum is 1000 concurrent clients. For High Scale SSD, it is 5000. Exceeding these limits may cause performance degradation. The exam may ask about these limits.
Performance scales linearly with capacity. To increase throughput, increase the provisioned capacity (e.g., from 1 TiB to 2 TiB). For Basic tiers, you can only increase capacity; you cannot decrease. For High Scale, you can also increase. There is no way to change the tier after creation without creating a new instance and migrating data.
You've just covered Filestore for Managed NFS — now see how well it sticks with free ACE practice questions. Full explanations included, no account needed.
Done with this chapter?