Go 1.11은 지원이 종료되었으며 2026년 1월 31일에 지원 중단됩니다. 지원 중단 후에는 조직에서 이전에 조직 정책을 사용하여 레거시 런타임의 배포를 다시 사용 설정한 경우에도 Go 1.11 애플리케이션을 배포할 수 없습니다. 기존 Go 1.11 애플리케이션은 지원 중단 날짜 이후에도 계속 실행되고 트래픽을 수신합니다. 지원되는 최신 Go 버전으로 마이그레이션하는 것이 좋습니다.
다음 IP 범위의 요청이 커넥터에 도달하고 커넥터가 이를 허용하도록 방화벽 규칙을 만들어야 합니다.
NAT 범위
107.178.230.64/26
35.199.224.0/19
상태 확인 범위
130.211.0.0/22
35.191.0.0/16
108.170.220.0/23
이러한 범위는 Cloud Run, Cloud Run 함수, App Engine 표준 환경의 Google 인프라에서 사용됩니다. 이러한 IP의 모든 요청은 Google 인프라에서 시작되도록 보장되며, 각 Cloud Run, Cloud Run 함수, App Engine 서비스/함수/앱은 연결된 VPC 커넥터와만 통신합니다.
간단한 구성에서는 공유 VPC 네트워크에 연결된 모든 서비스 프로젝트의 서버리스 서비스가 네트워크의 모든 리소스에 요청을 보낼 수 있도록 규칙을 적용합니다.
규칙을 적용하려면 다음 안내를 따르세요.
다음 3개의 명령어를 실행하여 서버리스 환경의 요청이 네트워크의 모든 VPC 커넥터에 도달할 수 있도록 규칙을 설정합니다.
이 규칙으로 VPC 커넥터에서 네트워크의 모든 리소스에 액세스할 수 있습니다. 서버리스 VPC 액세스를 사용하여 서버리스 환경에서 도달할 수 있는 리소스를 제한하려면 이러한 방화벽 규칙의 대상을 지정합니다.
특정 커넥터의 방화벽 규칙 만들기
IP 범위를 허용하는 방화벽 규칙 추가 절차를 따르면 현재의 커넥터와 향후 생성되는 커넥터까지 모든 커넥터에 적용되는 방화벽 규칙이 생성됩니다. 이를 원하지 않고 대신에 특정 커넥터에만 적용되는 규칙을 만들고 싶다면 해당 커넥터에만 적용되도록 규칙의 범위를 좁혀서 지정할 수 있습니다.
규칙의 범위를 특정 커넥터로 제한하려면 다음 메커니즘 중 하나를 사용하면 됩니다.
네트워크 태그. 모든 커넥터에는 2개의 네트워크 태그인 vpc-connector와 vpc-connector-REGION-CONNECTOR_NAME이 있습니다.
후자 형식을 사용하여 방화벽 규칙의 범위를 특정 커넥터로 제한합니다.
IP 범위. 이 옵션은 인그레스에서 작동하지 않으므로 이그레스 규칙에만 사용합니다. 커넥터 서브넷의 IP 범위를 사용하여 방화벽 규칙의 범위를 단일 VPC 커넥터로 제한할 수 있습니다.
서비스 프로젝트의 서비스 계정에 권한 부여
VPC 커넥터를 사용할 각 서비스 프로젝트의 경우, 공유 VPC 관리자는 호스트 프로젝트의 Compute Network 사용자 역할(compute.networkUser)을 서비스 프로젝트 cloudservices 및 vpcaccess 서비스 계정에 부여해야 합니다.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-09-04(UTC)"],[[["\u003cp\u003eThis guide outlines how to set up Serverless VPC Access connectors within a service project when using Shared VPC, offering an alternative to setting up connectors in the host project.\u003c/p\u003e\n"],["\u003cp\u003eKey steps include adding firewall rules to permit required IP ranges, granting necessary permissions to service accounts, and creating a subnet within the Shared VPC network.\u003c/p\u003e\n"],["\u003cp\u003eBefore starting, it's crucial to disable the URL Fetch service and discontinue use of the \u003ccode\u003eurlfetch\u003c/code\u003e package, as Serverless VPC Access is incompatible with it.\u003c/p\u003e\n"],["\u003cp\u003eFirewall rules can be broadly applied to all connectors or narrowly scoped to specific connectors using network tags or IP ranges, providing flexibility in network access control.\u003c/p\u003e\n"],["\u003cp\u003eAfter completing these steps, the next steps involve configuring a serverless environment to use the connector in the 'Configuring Serverless VPC Access' page, and creating the connector.\u003c/p\u003e\n"]]],[],null,["# Configure connectors in Shared VPC service projects\n\nIf your organization uses Shared VPC, you can set up\nServerless VPC Access connectors in either the service project or the\nhost project. This guide shows how to set up a connector in the service project.\n\nIf you need to set up a connector in the host project, see\n[Configure connectors in the host project](/appengine/docs/legacy/standard/go111/shared-vpc-host-project).\nTo learn about the advantages of each method, see\n[Connecting to a Shared VPC network](/appengine/docs/legacy/standard/go111/connecting-shared-vpc).\n\nAt a high level, you must take the following steps:\n\n1. [Add firewall rules to allow required IP ranges](#firewall-rules-shared-vpc)\n2. [Grant permissions](#grant-permissions)\n3. [Create a subnet](#subnet)\n4. In the page [Configuring Serverless VPC Access](/vpc/docs/configure-serverless-vpc-access), complete the steps in the following sections:\n - [Create a Serverless VPC Access connector](/vpc/docs/configure-serverless-vpc-access#create-connector)\n - [Configure your serverless environment to use a connector](/vpc/docs/configure-serverless-vpc-access#configure-environment)\n\n\u003cbr /\u003e\n\nBefore you begin\n----------------\n\n\u003cbr /\u003e\n\nServerless VPC Access is not compatible with the URL Fetch\nservice. Before you begin, disable the URL Fetch\ndefault by [using sockets](/appengine/docs/legacy/standard/go111/sockets), and\ndiscontinue any explicit use of the\n[`urlfetch`](/appengine/docs/legacy/standard/go111/urlfetch/reference) package.\n\nAdd firewall rules to allow IP ranges\n-------------------------------------\n\nTo perform these steps, you must have one of the following roles on the\nhost project:\n\n- Compute Engine [Security Admin](/compute/docs/access/iam#compute.securityAdmin) role\n- Custom [Identity and Access Management (IAM)](/iam) role with the [`compute.firewalls.create`](/compute/docs/reference/rest/v1/firewalls/insert#iam-permissions) permission enabled\n\nYou must create firewall rules to allow requests from the following IP ranges to\nreach the connector and to be reached by the connector:\n\n- NAT ranges\n - `107.178.230.64/26`\n - `35.199.224.0/19`\n- Health check ranges\n - `130.211.0.0/22`\n - `35.191.0.0/16`\n - `108.170.220.0/23`\n\nThese ranges are used by the Google infrastructure underlying Cloud Run,\nCloud Run functions, and the App Engine standard environment. All requests from these IPs are guaranteed\nto originate from Google infrastructure, which ensures that each\nCloud Run, Cloud Run functions, and App Engine service/function/app\nonly communicates with the VPC Connector it is connected to.\n\nFor a simple configuration, apply the rules to allow serverless services in any\nservice project connected to the Shared VPC network to send requests to\nany resource in the network.\n| **Important:** The rules you create using the following process apply to existing and future connectors. If you want to scope these rules so they only apply to specified connectors, see [Create firewall rules with narrower scope](#narrow-scope-rules).\n\nTo apply these rules:\n\n1. Run the following three commands to set the rules to allow requests from the\n serverless environment to reach all VPC Connectors in the network:\n\n ```bash\n gcloud compute firewall-rules create serverless-to-vpc-connector \\\n --allow tcp:667,udp:665-666,icmp \\\n --source-ranges 107.178.230.64/26,35.199.224.0/19 \\\n --direction=INGRESS \\\n --target-tags vpc-connector \\\n --network=VPC_NETWORK\n ``` \n\n ```bash\n gcloud compute firewall-rules create vpc-connector-to-serverless \\\n --allow tcp:667,udp:665-666,icmp \\\n --destination-ranges 107.178.230.64/26,35.199.224.0/19 \\\n --direction=EGRESS \\\n --target-tags vpc-connector \\\n --network=VPC_NETWORK\n ``` \n\n ```bash\n gcloud compute firewall-rules create vpc-connector-health-checks \\\n --allow tcp:667 \\\n --source-ranges 130.211.0.0/22,35.191.0.0/16,108.170.220.0/23 \\\n --direction=INGRESS \\\n --target-tags vpc-connector \\\n --network=VPC_NETWORK\n ```\n\n Where \u003cvar translate=\"no\"\u003eVPC_NETWORK\u003c/var\u003e is the VPC network to attach your\n connector to.\n2. Create an ingress rule on your VPC network to allow requests\n from connectors:\n\n ```bash\n gcloud compute firewall-rules create vpc-connector-requests \\\n --allow tcp,udp,icmp \\\n --direction=INGRESS \\\n --source-tags vpc-connector \\\n --network=VPC_NETWORK\n ```\n\n This rule gives the VPC connector access to every resource in the network. To\n limit the resources that your serverless environment can reach using\n Serverless VPC Access,\n [specify a target for these firewall rules](/vpc/docs/firewalls#rule_assignment).\n\n### Create firewall rules for specific connectors\n\nFollowing the procedure in\n[Add firewall rules to allow IP ranges](#firewall-rules-shared-vpc)\nresults in firewall rules that apply to *all* connectors, both current ones\nand ones created in the future. If you don't want this, but instead want to\ncreate rules for specific connectors only, you can scope the rules so that\nthey apply only to those connectors.\n\nTo limit the scope of the rules to specific connectors, you can use one of the\nfollowing mechanisms:\n\n- Network tags. Every connector has two network tags: `vpc-connector` and `vpc-connector-`\u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e`-`\u003cvar translate=\"no\"\u003eCONNECTOR_NAME\u003c/var\u003e. Use the latter format to limit the scope of your firewall rules to a specific connector.\n- IP ranges. Use this for the Egress rules only, because it doesn't work for Ingress. You can use the IP range of the connector subnet to limit the scope of your firewall rules to a single VPC connector.\n\nGrant permissions to service accounts in your service projects\n--------------------------------------------------------------\n\nFor each service project that will use VPC Connectors, a Shared VPC\nAdmin must grant the Compute Network User\nrole ([`compute.networkUser`](/compute/docs/access/iam#compute.networkUser)) in the\nhost project to the service project `cloudservices` and `vpcaccess` service\naccounts.\n\nTo grant the role:\n\n1. Use these commands:\n\n ```bash\n gcloud projects add-iam-policy-binding HOST_PROJECT_ID \\\n --role \"roles/compute.networkUser\" \\\n --member \"serviceAccount:service-\u003cvar translate=\"no\"\u003eSERVICE_PROJECT_NUMBER\u003c/var\u003e@gcp-sa-vpcaccess.iam.gserviceaccount.com\"\n ``` \n\n ```bash\n gcloud projects add-iam-policy-binding HOST_PROJECT_ID \\\n --role \"roles/compute.networkUser\" \\\n --member \"serviceAccount:\u003cvar translate=\"no\"\u003eSERVICE_PROJECT_NUMBER\u003c/var\u003e@cloudservices.gserviceaccount.com\"\n ```\n2. If the `@gcp-sa-vpcaccess` service account does not exist, turn on the\n Serverless VPC Access API in the service project and try again:\n\n ```bash\n gcloud services enable vpcaccess.googleapis.com\n ```\n\n \u003cbr /\u003e\n\nIf you prefer not to grant these service accounts access to the entire\nShared VPC network and would rather only grant access to specific subnets, you\ncan instead [grant these roles to these service accounts on specific subnets only](/vpc/docs/shared-vpc#svc_proj_admins).\n\nCreate a subnet\n---------------\n\nWhen using Shared VPC, the Shared VPC Admin must create a subnet\nfor each connector. Follow the documentation in\n[adding a subnet](/vpc/docs/create-modify-vpc-networks#add-subnets) to add a `/28` subnet to the\nShared VPC network. This subnet must be in the same region as the\nserverless services that will use the connector.\n\nNext steps\n----------\n\n- In the page [Configuring Serverless VPC Access](/vpc/docs/configure-serverless-vpc-access), complete the steps in the following sections:\n - [Create a Serverless VPC Access connector](/vpc/docs/configure-serverless-vpc-access#create-connector)\n - [Configure your serverless environment to use a connector](/vpc/docs/configure-serverless-vpc-access#configure-environment)"]]