Connecting to internal resources in a VPC network

Using Serverless VPC Access, you can connect from your Cloud Functions directly to Compute Engine VM instances, Cloud Memorystore instances, Cloud SQL instances, and any other resources with an internal IP address. This is helpful in cases where:

  • You run a backend service on a Managed Instance Group in Compute Engine and need your function to communicate with this service without exposure to the public internet.
  • Your function uses third-party software that you run on a Compute Engine VM.
  • You use Cloud Memorystore to store data for your Cloud Functions.
  • Your function needs to access data from your on-premises database through Cloud VPN.

Serverless VPC Access enables you to send requests from your function to resources in your VPC network using internal IP addresses. Internal IP addresses are only accessible from Google Cloud Platform services, so using them avoids exposing internal resources to the public internet, and also improves the latency of communication between your services.

Serverless VPC Access does not support legacy networks or Shared VPC networks. Serverless VPC Access connectors incur a monthly charge, see Serverless VPC Access pricing for more information.

Connecting to your VPC network

Connecting Cloud Functions to your VPC network involves three steps:

  1. Create a Serverless VPC Access connector
  2. Grant your Cloud Functions service account the appropriate permissions
  3. Configure your functions to use the connector

A Serverless VPC Access connector must be in the same project and region as the functions that use it, but the connector can send traffic to resources in different regions. Multiple functions can use the same connector. For more information about connectors, see Configuring Serverless VPC Access in the VPC documentation.

Creating a connector

You can create a connector with the GCP Console or the gcloud command-line tool.

Console

  1. Go to the Serverless VPC Access overview page.

    Go to Serverless VPC Access

  2. Click Create connector.

  3. In the Name field, enter a name for your connector.

  4. In the Region field, select the region where your function is located.

  5. In the Network field, select the VPC network to connect to.

  6. In the IP range field, enter an unused CIDR /28 IP range. Addresses in this range are used as source addresses for traffic sent through the connector. This IP range must not overlap with any existing IP address reservations in your VPC network.

  7. (Optional) You can control the connector's throughput by setting values in the Minimum throughput and Maximum throughput fields.

  8. Click Create.

A green check mark will appear next to the connector's name when it is ready to use.

gcloud

  1. Enable the Serverless VPC Access API for your project with the command:

    gcloud services enable vpcaccess.googleapis.com
    
  2. Create a connector:

    gcloud beta compute networks vpc-access connectors create CONNECTOR_NAME \
    --network VPC_NETWORK \
    --region REGION \
    --range IP_RANGE
    

    Where:

    • CONNECTOR_NAME is a name for your connector.
    • VPC_NETWORK is the VPC network to connect to.
    • REGION is the region where your function is located.
    • IP_RANGE is an unused CIDR /28 IP range. Addresses in this range are used as source addresses for traffic sent through the connector. This IP range must not overlap with any existing IP address reservations in your VPC network.
  3. Verify that your connector is in the READY state before using it:

    gcloud beta compute networks vpc-access connectors describe CONNECTOR_NAME --region REGION
    

    The output should contain the line state: READY.

Setting up permissions

Your project's Cloud Functions service account needs appropriate permissions in order for your function to use a Serverless VPC Access connector. You only need to grant these permissions once per project. To set up the permissions:

  1. Go to the IAM page in the Google Cloud Platform Console.

    Go to IAM

  2. Find the entry for the Cloud Functions Service Agent.

  3. Click the pencil icon to edit permissions.

  4. Click Add another role.

  5. Select Project > Editor.

  6. Click Save.

If you don't want to grant your service account full Editor privileges, you can instead grant the following combination of roles:

  • The Viewer role,
  • The Compute Network User role, and
  • A custom role you create that contains the compute.globalOperations.get permission.

You can also use per-function identities to apply these permissions only to specific functions which need to access your VPC network.

Configuring a function to use a connector

After you have created a Serverless VPC Access connector and set up the proper permissions, you can configure your functions to use the connector. Multiple functions can use the same connector to reach the same VPC network as long as the functions are located in the same region.

To connect your connector to a function, use the gcloud beta functions deploy command to deploy the function and specify the --vpc-connector flag:

gcloud beta functions deploy FUNCTION_NAME \
--vpc-connector projects/PROJECT_ID/locations/REGION/connectors/CONNECTOR_NAME \
FLAGS...

Where:

  • FUNCTION_NAME is the name of your function.
  • PROJECT_ID is your GCP project's ID.
  • REGION is the region you chose for your connector. Note that your connector and function must be in the same region.
  • CONNECTOR_NAME is the name of your connector.
  • FLAGS... refers to other flags you pass during function deployment.

After you deploy your function, it is able to send requests to internal IP addresses in order to access resources in your VPC network.

Disconnecting a function from a connector

If your function no longer needs to connect to your VPC network, you can disconnect the Serverless VPC Access connector.

To disconnect your function from a connector, delete your function and re-deploy it without the --vpc-connector flag:

gcloud functions delete FUNCTION_NAME
gcloud functions deploy FUNCTION_NAME [FLAGS...]

Next steps

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Functions Documentation