Ruby 2.6 and 2.7 are now generally available.

Connecting to a Shared VPC network

If your organization uses Shared VPC, you can use Serverless VPC Access to connect to your Shared VPC network. This guide shows you how to configure the Shared VPC host and service projects to allow Serverless VPC Access.

If you are creating a connector for Shared VPC, you must configure the host project and serverless environment as follows:

  1. Add firewall rules to allow required IP ranges
  2. Grant permissions to service accounts in your service project
  3. Create a subnet
  4. Create a Serverless VPC Access connector
  5. Configure your service to use a Serverless VPC Access connector

Add firewall rules to allow IP ranges

To perform these steps, you must have one of the following roles on the host project:

You must create firewall rules to allow requests from the following IP ranges to reach the connector and to be reached by the connector:

  • NAT ranges
    • 107.178.230.64/26
    • 35.199.224.0/19
  • Health check ranges
    • 130.211.0.0/22
    • 35.191.0.0/16
    • 108.170.220.0/23

These ranges are used by the Google infrastructure underlying Cloud Run, Cloud Functions, and App Engine Standard. All requests from these IPs are guaranteed to originate from Google infrastructure, which ensures that each Cloud Run, Cloud Functions, and App Engine service/function/app only communicates with the VPC Connector it is connected to.

For a simple configuration, apply the rules to allow serverless services in any service project connected to the Shared VPC network to send requests to any resource in the network.

To apply these rules:

  1. Run the following three commands to set the rules to allow requests from the serverless environment to reach all VPC Connectors in the network:

    gcloud compute firewall-rules create serverless-to-vpc-connector \
    --allow tcp:667,udp:665-666,icmp \
    --source-ranges 107.178.230.64/26,35.199.224.0/19 \
    --direction=INGRESS \
    --target-tags vpc-connector \
    --network=VPC_NETWORK
    gcloud compute firewall-rules create vpc-connector-to-serverless \
    --allow tcp:667,udp:665-666,icmp \
    --destination-ranges 107.178.230.64/26,35.199.224.0/19 \
    --direction=EGRESS \
    --target-tags vpc-connector \
    --network=VPC_NETWORK
    gcloud compute firewall-rules create vpc-connector-health-checks \
    --allow tcp:667 \
    --source-ranges 130.211.0.0/22,35.191.0.0/16,108.170.220.0/23 \
    --direction=INGRESS \
    --target-tags vpc-connector \
    --network=VPC_NETWORK

    Where VPC_NETWORK is the VPC network to attach your connector to.

  2. Create an ingress rule on your VPC network to allow requests from connectors:

    gcloud compute firewall-rules create vpc-connector-requests \
    --allow tcp,udp,icmp \
    --direction=INGRESS \
    --source-tags vpc-connector \
    --network=VPC_NETWORK

    This rule gives the VPC connector access to every resource in the network. To limit the resources that your serverless environment can reach using Serverless VPC Access, specify a target for these firewall rules or see Create firewall rules with narrower scope. Note that if you specify a target, you must create a new set of firewall rules every time you create a new VPC connector.

Create firewall rules with narrower scope

Following the procedure in Add firewall rules to allow IP ranges results in firewall rules that apply to all connectors, both current ones and ones created in the future. If you don't want this, but instead want to create rules for specific connectors only, you can scope the rules so that they apply only to those connectors.

To limit the scope of the rules to specific connectors, you can use one of the following mechanisms:

  • Network tags. Every connector has two network tags: vpc-connector and vpc-connector-REGION-CONNECTOR_NAME. Use the latter format to limit the scope of your firewall rules to a specific connector.
  • IP ranges. Use this for the Egress rules only, because it doesn't work for Ingress. You can use the IP range of the connector subnet to limit the scope of your firewall rules to a single VPC connector.

Grant permissions to service accounts in your service projects

For each service project that will use VPC Connectors, a Shared VPC Admin must grant the Compute Network User role (compute.networkUser) in the host project to the service project cloudservices and vpcaccess service accounts.

To grant the role:

  1. Use these commands:

    gcloud projects add-iam-policy-binding HOST_PROJECT_ID \
    --role "roles/compute.networkUser" \
    --member "serviceAccount:service-SERVICE_PROJECT_NUMBER@gcp-sa-vpcaccess.iam.gserviceaccount.com"
    gcloud projects add-iam-policy-binding HOST_PROJECT_ID \
    --role "roles/compute.networkUser" \
    --member "serviceAccount:SERVICE_PROJECT_NUMBER@cloudservices.gserviceaccount.com"
  2. If the @gcp-sa-vpcaccess service account does not exist, turn on the Serverless VPC Access API in the service project and try again:

    gcloud services enable vpcaccess.googleapis.com

If you prefer not to grant these service accounts access to the entire Shared VPC network and would rather only grant access to specific subnets, you can instead grant these roles to these service accounts on specific subnets only.

Create a subnet

When using Shared VPC, the Shared VPC Admin must create a subnet for each connector. Follow the documentation in adding a subnet to add a /28 subnet to the Shared VPC network. This subnet must be in the same region as the serverless services that will use the connector.

Next steps