Connecting to internal resources in a VPC network

Using Serverless VPC Access, you can connect from your Cloud Functions directly to Compute Engine VM instances, Cloud Memorystore instances, Cloud SQL instances, and any other resources with an internal IP address. This is helpful in cases where:

  • You run a backend service on a Managed Instance Group in Compute Engine and need your function to communicate with this service without exposure to the public internet.
  • Your function uses third-party software that you run on a Compute Engine VM.
  • You use Cloud Memorystore to store data for your Cloud Functions.
  • Your function needs to access data from your on-premises database through Cloud VPN.

Serverless VPC Access enables you to send requests from your function to resources in your VPC network using internal IP addresses. Internal IP addresses are only accessible from Google Cloud Platform services, so using them avoids exposing internal resources to the public internet, and also improves the latency of communication between your services.

Serverless VPC Access does not support legacy networks or Shared VPC networks. Serverless VPC Access connectors incur a monthly charge, see Serverless VPC Access pricing for more information.

Connecting to your VPC network

Connecting Cloud Functions to your VPC network involves three steps:

  1. Create a Serverless VPC Access connector
  2. Grant your Cloud Functions service account the appropriate permissions
  3. Configure your functions to use the connector

A Serverless VPC Access connector must be in the same project and region as the functions that use it, but the connector can send traffic to resources in different regions. Multiple functions can use the same connector. For more information about connectors, see Configuring Serverless VPC Access in the VPC documentation.

Creating a connector

You can create a connector with the GCP Console or the gcloud command-line tool.

Console

  1. Go to the Serverless VPC Access overview page:

    Go to Serverless VPC Access

  2. Click Create connector.

  3. In the Name field, enter a name for your connector.

  4. In the Region field, select the region where your function is located.

  5. In the Network field, select the VPC network to connect to.

  6. In the IP range field, enter an unused CIDR /28 IP range. Addresses in this range are used as source addresses for traffic sent through the connector. This IP range must not overlap with any existing IP address reservations in your VPC network.

  7. (Optional) You can control the connector's throughput by setting values in the Minimum throughput and Maximum throughput fields.

  8. Click Create.

A green check mark will appear next to the connector's name when it is ready to use.

gcloud

  1. Enable the Serverless VPC Access API for your project with the command:

    gcloud services enable vpcaccess.googleapis.com
    
  2. Create a connector:

    gcloud beta compute networks vpc-access connectors create CONNECTOR_NAME \
    --network VPC_NETWORK \
    --region REGION \
    --range IP_RANGE
    

    Where:

    • CONNECTOR_NAME is a name for your connector.
    • VPC_NETWORK is the VPC network to connect to.
    • REGION is the region where your function is located.
    • IP_RANGE is an unused CIDR /28 IP range. Addresses in this range are used as source addresses for traffic sent through the connector. This IP range must not overlap with any existing IP address reservations in your VPC network.
  3. Verify that your connector is in the READY state before using it:

    gcloud beta compute networks vpc-access connectors describe CONNECTOR_NAME --region REGION
    

    The output should contain the line state: READY.

Setting up permissions

Your project's Cloud Functions service account needs appropriate permissions in order for your function to use a Serverless VPC Access connector. You only need to grant these permissions once per project. To set up the permissions:

Console

  1. Go to the IAM page in the Google Cloud Platform Console:

    Go to IAM

  2. Find the entry for the Cloud Functions Service Agent.

  3. Click the pencil icon to edit permissions.

  4. Click Add another role.

  5. Select Project > Viewer.

  6. Click Add another role.

  7. Select Compute Engine > Compute Network User.

  8. Click Save.

gcloud

  1. Find your project number by running the following command, replacing PROJECT_ID with your GCP project ID:

    gcloud projects describe PROJECT_ID --format="value(projectNumber)"
    
  2. Grant the Cloud Functions Service Agent (service-PROJECT_NUM@gcf-admin-robot.iam.gserviceaccount.com) the viewer role:

    gcloud projects add-iam-policy-binding PROJECT_ID \
    --member=serviceAccount:service-PROJECT_NUM@gcf-admin-robot.iam.gserviceaccount.com \
    --role=roles/viewer
    

    where PROJECT_NUM is the project number obtained in step 1.

  3. Grant the Cloud Functions Service Agent the compute.networkUser role:

    gcloud projects add-iam-policy-binding PROJECT_ID \
    --member=serviceAccount:service-PROJECT_NUM@gcf-admin-robot.iam.gserviceaccount.com \
    --role=roles/compute.networkUser
    

Configuring a function to use a connector

After you have created a Serverless VPC Access connector and set up the proper permissions, you can configure your functions to use the connector. Multiple functions can use the same connector to reach the same VPC network as long as the functions are located in the same region.

To connect your function to a connector, specify the connector name when you deploy the function:

Console

  1. Go to the Cloud Functions overview page in the GCP Console:

    Go to Cloud Functions

  2. Click Create function.

  3. Fill in the required fields for your function.

  4. Expand the advanced settings by clicking More.

  5. In the VPC connector field, enter the fully-qualified name of your connector in the following format:

    projects/PROJECT_ID/locations/REGION/connectors/CONNECTOR_NAME
    

    where:

    • PROJECT_ID is your GCP project ID.
    • REGION is the region you chose for your connector. Note that your connector and function must be in the same region.
    • CONNECTOR_NAME is the name of your connector.
  6. Click Create.

gcloud

Use the gcloud beta functions deploy command to deploy the function and specify the --vpc-connector flag:

gcloud beta functions deploy FUNCTION_NAME \
--vpc-connector projects/PROJECT_ID/locations/REGION/connectors/CONNECTOR_NAME \
FLAGS...

where:

  • FUNCTION_NAME is the name of your function.
  • PROJECT_ID is your GCP project ID.
  • REGION is the region you chose for your connector. Note that your connector and function must be in the same region.
  • CONNECTOR_NAME is the name of your connector.
  • FLAGS... refers to other flags you pass during function deployment.

After you deploy your function, it is able to send requests to internal IP addresses in order to access resources in your VPC network.

Disconnecting a function from a connector

If your function no longer needs to connect to your VPC network, you can disconnect the Serverless VPC Access connector.

To disconnect your function from a connector, remove the connector from the function's configuration:

Console

  1. Go to the Cloud Functions overview page in the GCP Console:

    Go to Cloud Functions

  2. Click the name of an existing function to go to its details page.

  3. Click Edit.

  4. Expand the advanced settings by clicking More.

  5. Clear the VPC connector field.

  6. Click Deploy.

gcloud

Use the gcloud beta functions deploy command to update your function and clear the --vpc-connector flag:

gcloud beta functions deploy FUNCTION_NAME --vpc-connector ""

Next steps

Оцените, насколько информация на этой странице была вам полезна:

Оставить отзыв о...

Текущей странице
Cloud Functions Documentation