FAQs for File Storage for VPC

Do I need to create a VPC before I can create a file share?

No. You can create a file share independent of a VPC. However, to create a mount target, you must have a VPC available. To mount a file share, you must provision a virtual server instance within that VPC.

I have existing VPCs. Can I create a file share within that VPC?

Yes.

Can I mount file shares on a Windows operating system?

No, file shares can be mounted only on Linux operating systems or a z/OS-based IBM Cloud® Compute Instance that support NFS file shares. For more information, see the topics about mounting file shares on Red Hat, CentOS, and Ubuntu Linux distributions, or z/OS systems. Mounting file shares on Windows servers is not supported.

What is the minimum NFS version supported?

File Storage for VPC requires NFS versions v4.1 or higher.

Who do I contact to help with any issues? What information do I need to provide?

For more information about who to contact, see Getting help and support. Provide as much information as you can, including error messages, screen captures, and API error codes and responses. Include any messages from the VPC and the file storage service.

How am I charged for usage?

Cost for File Storage for VPC is calculated based on the GiB capacity that is stored per month, unless the duration is less than one month. The share exists on the account until you delete the share or you reach the end of a billing cycle, whichever comes first.

Pricing is also affected when you expand share capacity or adjust IOPS. For example, expanding volume capacity increases costs, and decreasing the IOPS value decreases the monthly and hourly rate. Billing for an updated volume is automatically updated to add the prorated difference of the new price to the current billing cycle. The new full amount is then billed in the next billing cycle.

You can use the Cost estimator in IBM Cloud console to see how changes in capacity and IOPS affect the cost. For more information, see Estimating your costs.

You also incur charges when you replicate data to a different region. Charges for data transfer between the two file shares are calculated with a flat rate in GiB increments. The charges are based on the amount of data that was transferred during the entire billing period. You can use the replication sync information to see the transferred data values, which can help you estimate the global transfer charges at the end of the billing period.

Where can I find pricing information?

In the console, go to the File storage share for VPC provisioning page and click the Pricing tab. On the Pricing tab, you can view details of the pricing plan based on the selected Geography, Region, and Currency. You can also switch between Hourly and Monthly rates.

You can programmatically retrieve the pricing information by calling the Global Catalog API. For more information, see Getting dynamic pricing.

Can I mount the same file share in different zones in my region?

Yes, you can mount file shares across different zones in your region. For more information, see Cross-zone mount targets.

Can I mount file shares for my Kube containers?

Yes. You can mount file shares by using the NFSv4.1 protocol.

Can I mount the same file shares between two virtual server instances?

Yes, when the virtual server instances are in the same region.

I use a load balancer across zones. Is there a way to copy the file share?

No.

Are there any options for backup for data retention?

No. As a best practice, independently back up your data. When your file share data is deleted, it can't be restored.

Are file shares elastic?

File shares are not elastic. Currently, you can provision a minimum of 10 GiB to a maximum of 32,000 GiB file shares, depending on the file share profile.

Can I change the size of a file share?

You can increase the size of a file share from its original capacity in GiB increments up to 32,000 GiB capacity, depending on your file share profile. For more information, see expanding file share capacity.

Can my file shares be replicated to protect my data from disastrous events?

Yes. You can create replicas of your file shares by setting up a replication relationship between primary file shares in one zone to replica file share in another zone. Using replication is a good way to recover from incidents at the primary site, when data becomes inaccessible or applications fail. For more information, see About file share replication.

How does file share replication work?

when you create a file share, you can set up a replication relationship between a primary source file share to a replica file share in a different zone. When the file share is created, so is the replica share in the other zone. When the replication relationship is established, the replica file share begins pulling data from the source file share. The replica file share is read-only until you break the replication relationship, creating two independent file shares, or fail over to the replica file share. For more information about setting up replication, see Creating replica file shares.

How do I schedule replication?

You can choose the frequency of replication by creating a schedule with a cronspec and can replicate as frequently as every hour. Set up replication from the UI, CLI, or by calling the API.

I want to set up replication. Is there an automatic failover?

No, choosing to fail over to the replica site is a manual operation, and you must reconcile your data after the failover to the replica share is done. For more information about how failover works for disaster recovery, see Failover for disaster recovery.

Can I add tags to my file shares?

Yes. You can specify user and access management tags when you create a file share or update an existing file share. Adding user tags to a file share or replica share can make organizing your resources easier. For more information, see Add user tags to a file share. File Storage for VPC also supports access management tags. For more information, see Access management tags for file shares.

What is the dp2 profile?

The dp2 profile is the latest file storage profile, offering greater capacity and performance for your file shares. With this profile, you can specify the total IOPS for the file share within the range for a specific file share size. You can provision shares with IOPS performance from 100 IOPS to 96,000 IOPS, based on share size. For more information, see dp2 file storage profile.

Can I migrate all my file share profiles to dp2?

You can migrate file shares that were created by using either the IOPS tier profile or custom IOPS profile to the latest dp2 profile. By migrating to the dp2 profile, you can take advantage of the latest File Storage for VPC features. Currently, you can use the File Storage for VPC UI, CLI, or API to revise a single file share profile. For migrating multiple shares, you need to create your own script that would first list these shares and then go through the list of shares and update each individual share profile.

Can I restrict access to my file share to a specific virtual server instance?

Yes. When you create a file share, you must specify the access control mode. It can be based on Security Groups, which restrict the access to the file share to specific resources in the VPC. Or the access mode can allow for VPC-wide file share mounting. For more information, see Mount target access modes.

Can I securely share my data with other accounts?

Yes. You can use IAM authorization policies to allow another account to mount your file share and access its contents. For more information, see Sharing file share data between accounts and services.

What is an accessor share?

Administrators with the right authorizations can configure access to a file share from virtual service instances of a VPC that belongs to another account. An accessor share is an object that is created in the accessor account that shares characteristics of the origin share such as size, profile and encryption types. It is the representation of the origin share in the accessor account. The accessor account creates a mount target to the accessor share which creates a network path that the virtual server can use to access the data on the origin share. The accessor share does not hold any data and cannot exist independently from the origin share. For more information, see Sharing file share data between accounts and services.

How many accessor shares can be set up to access my share?

A share can have maximum of 100 accessor bindings. This restriction is placed at origin share level. After the number of active accessor bindings reached 100, any attempt to create another accessor share fails.

How can I ensure other accounts use encryption in transit when they access my data?

As the share owner, you have the right to enforce the use of encryption in transit when another account accesses the file share data. When you create a file share, you can set the allowed transit encryption modes to user_managed_required. This value is inherited by the accessor share of the accessor account, which ensures that only mount targets that support encryption in transit can be attached to the accessor share.

If your file share was created before 18 June 2024, its allowed transit encryption modes is set to user_managed,none. This setting can be changed in the consolefrom the CLIwith the APIwith Terraform. Existing mount targets must be deleted first. For more information, see Deleting mount target of a file share in the UI Deleting a mount target of a file share from the CLIDeleting mount target of a file share with the API Deleting a mount target with Terraform.

Can I adjust the performance of my file shares?

Yes, you can increase or decrease IOPS for file shares based on an IOPS tier, custom, or dp2 profile. Adjusting IOPS depends on the file share size. Adjusting the IOPS causes no outage or lack of access to the storage. Pricing is adjusted with your selection. For more information, see Adjusting file share IOPS.

Can I change a file share profile?

Yes, you can use the UI, CLI, or API to update a file share profile. You can change among IOPS tier profiles. When you select a custom profile or dp2 high-performance profile, you specify the maximum IOPS based on the file share size.

You can't use the UI, CLI, or API to update multiple file shares in a single operation. For more on this issue, see troubleshooting File Storage for VPC.

How secure is my data?

All data is encrypted at rest by default with IBM-managed encryption. You can also encrypt your file shares with your own root key, which gives your more control over your data security. For example, you can rotate, suspend, delete, and restore your root keys. For more information, see Creating file shares with customer-managed encryption.

You can also enable secure end-to-end encryption of your file share data by setting up data encryption in transit. When encryption in transit is enabled, you can establish an encrypted mount connection between the virtual server instance and storage system by using the Internet Security Protocol (IPsec) security profile. For more information, see Enabling file share encryption in transit secure connections.

Is there support for security groups and network ACLs?

Yes. You can specify the security group access control mode to restrict mounting file shares to specific instances in your VPC. For more information, see Granular authentication.

How is my data protected in a file share? Can I use my own encryption keys?

By default, your file share data is protected at rest with IBM-managed encryption. You can also bring your own keys to the IBM Cloud® and use them to encrypt your file shares. For more information, see Creating file shares with customer-managed encryption. By using the API, you can link a primary account that holds a root key to a secondary account, then use that key to encrypt new file shares in the secondary account. For more information, see Cross-account encryption for multitenant storage resources.

Is my data protected during transit?

You can enable secure end-to-end encryption of your data when you use file shares with security-group-based access control mode and mount targets with virtual network interfaces. When such a mount target is attached and the share is mounted, the virtual network interface performs security group policy check to ensure that only authorized instances can communicate with the share. The traffic between the authorized virtual server instance and the file share can be IPsec encapsulated by the client. For more information, see Encryption in transit - Securing mount connections between file share and host.

Encryption in transit is not supported between File Storage for VPC and Bare Metal Servers for VPC.