If your organization uses Shared VPC, you can set up Serverless VPC Access connectors in either the service project or the host project. This guide shows how to set up a connector in the service project.
If you need to set up a connector in the host project, see Configure connectors in the host project. To learn about the advantages of each method, see Connecting to a Shared VPC network.
At a high level, you must take the following steps:
- Add firewall rules to allow required IP ranges
- Grant permissions
- Create a subnet
- In the page Configuring Serverless VPC Access, complete the steps in the following sections:
Before you begin
Serverless VPC Access is not compatible with the URL Fetch
service. Before you begin, disable the URL Fetch
default by using sockets, and
discontinue any explicit use of the
urlfetch
package.
Add firewall rules to allow IP ranges
To perform these steps, you must have one of the following roles on the host project:
- Compute Engine Security Admin role
- Custom Identity and Access Management (IAM) role with the
compute.firewalls.create
permission enabled
You must create firewall rules to allow requests from the following IP ranges to reach the connector and to be reached by the connector:
- NAT ranges
107.178.230.64/26
35.199.224.0/19
- Health check ranges
130.211.0.0/22
35.191.0.0/16
108.170.220.0/23
These ranges are used by the Google infrastructure underlying Cloud Run, Cloud Run functions, and the App Engine standard environment. All requests from these IPs are guaranteed to originate from Google infrastructure, which ensures that each Cloud Run, Cloud Run functions, and App Engine service/function/app only communicates with the VPC Connector it is connected to.
For a simple configuration, apply the rules to allow serverless services in any service project connected to the Shared VPC network to send requests to any resource in the network.
To apply these rules:
Run the following three commands to set the rules to allow requests from the serverless environment to reach all VPC Connectors in the network:
gcloud compute firewall-rules create serverless-to-vpc-connector \ --allow tcp:667,udp:665-666,icmp \ --source-ranges 107.178.230.64/26,35.199.224.0/19 \ --direction=INGRESS \ --target-tags vpc-connector \ --network=VPC_NETWORK
gcloud compute firewall-rules create vpc-connector-to-serverless \ --allow tcp:667,udp:665-666,icmp \ --destination-ranges 107.178.230.64/26,35.199.224.0/19 \ --direction=EGRESS \ --target-tags vpc-connector \ --network=VPC_NETWORK
gcloud compute firewall-rules create vpc-connector-health-checks \ --allow tcp:667 \ --source-ranges 130.211.0.0/22,35.191.0.0/16,108.170.220.0/23 \ --direction=INGRESS \ --target-tags vpc-connector \ --network=VPC_NETWORK
Where
VPC_NETWORK
is the VPC network to attach your connector to.Create an ingress rule on your VPC network to allow requests from connectors:
gcloud compute firewall-rules create vpc-connector-requests \ --allow tcp,udp,icmp \ --direction=INGRESS \ --source-tags vpc-connector \ --network=VPC_NETWORK
This rule gives the VPC connector access to every resource in the network. To limit the resources that your serverless environment can reach using Serverless VPC Access, specify a target for these firewall rules.
Create firewall rules for specific connectors
Following the procedure in Add firewall rules to allow IP ranges results in firewall rules that apply to all connectors, both current ones and ones created in the future. If you don't want this, but instead want to create rules for specific connectors only, you can scope the rules so that they apply only to those connectors.
To limit the scope of the rules to specific connectors, you can use one of the following mechanisms:
- Network tags. Every connector has two network tags:
vpc-connector
andvpc-connector-REGION-CONNECTOR_NAME
. Use the latter format to limit the scope of your firewall rules to a specific connector. - IP ranges. Use this for the Egress rules only, because it doesn't work for Ingress. You can use the IP range of the connector subnet to limit the scope of your firewall rules to a single VPC connector.
Grant permissions to service accounts in your service projects
For each service project that will use VPC Connectors, a Shared VPC
Admin must grant the Compute Network User
role (compute.networkUser
) in the
host project to the service project cloudservices
and vpcaccess
service
accounts.
To grant the role:
Use these commands:
gcloud projects add-iam-policy-binding HOST_PROJECT_ID \ --role "roles/compute.networkUser" \ --member "serviceAccount:service-SERVICE_PROJECT_NUMBER@gcp-sa-vpcaccess.iam.gserviceaccount.com"
gcloud projects add-iam-policy-binding HOST_PROJECT_ID \ --role "roles/compute.networkUser" \ --member "serviceAccount:SERVICE_PROJECT_NUMBER@cloudservices.gserviceaccount.com"
If the
@gcp-sa-vpcaccess
service account does not exist, turn on the Serverless VPC Access API in the service project and try again:gcloud services enable vpcaccess.googleapis.com
If you prefer not to grant these service accounts access to the entire Shared VPC network and would rather only grant access to specific subnets, you can instead grant these roles to these service accounts on specific subnets only.
Create a subnet
When using Shared VPC, the Shared VPC Admin must create a subnet
for each connector. Follow the documentation in
adding a subnet to add a /28
subnet to the
Shared VPC network. This subnet must be in the same region as the
serverless services that will use the connector.
Next steps
- In the page Configuring Serverless VPC Access, complete the steps in the following sections: