Connecting to a VPC network

This page shows how to use Serverless VPC Access to connect Cloud Functions directly to your VPC network, allowing access to Compute Engine VM instances, Memorystore instances, and any other resources with an internal IP address.

To use Serverless VPC Access, you must first create a Serverless VPC Access connector to handle communication to your VPC network. After you create a connector, you configure your Cloud Functions to use the connector.

Creating a Serverless VPC Access connector

For detailed instructions on creating Serverless VPC Access connectors, refer to Creating a connector.

Configuring a function to use a connector

You can configure a function to use a connector from the Google Cloud Console or the gcloud command-line tool:

Console

  1. Go to the Cloud Functions overview page in the Cloud Console:

    Go to Cloud Functions

  2. Click Create function. Alternatively, click an existing function to go to its details page, and click Edit.

  3. Expand the advanced settings by clicking Environment variables, networking, timeouts and more.

  4. In the VPC connector field, enter the name of your connector, or clear the field to disconnect your service from a VPC network.

  5. Click Create or Deploy.

gcloud

Use the gcloud functions deploy command to deploy the function and specify the --vpc-connector flag:

gcloud functions deploy FUNCTION_NAME \
--vpc-connector CONNECTOR_NAME \
FLAGS...

where:

  • FUNCTION_NAME is the name of your function.
  • CONNECTOR_NAME is the name of your connector.
  • FLAGS... refers to other flags you pass during function deployment.

Use the --clear-vpc-connector flag to to disconnect your function from a VPC network:

gcloud functions deploy FUNCTION_NAME \
--clear-vpc-connector \
FLAGS...

For more control over which requests are routed through the connector, see Egress settings.

Connecting to a Shared VPC network

If you have set up Shared VPC, you can connect a function to a Shared VPC network by following these steps:

  1. Create a Serverless VPC Access connector in the Shared VPC host project.
  2. In Shared VPC service projects where you want to deploy functions, enable the Cloud Functions and Serverless VPC Access APIs:

    Enable the APIs

  3. Grant permissions for functions in service projects to use connectors from the host project:

    Console

    1. Find the address of the service project's Cloud Functions Service Agent. It is listed on the IAM page in the Cloud Console and has the form:

      service-SERVICE_PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com

      You can also find the service project's project number on the Project Settings page.

    2. Go to the IAM page in the Shared VPC host project:

      Go to IAM

    3. Click Add.

    4. In the New members field, enter the address of the service project's Cloud Functions Service Agent.

    5. In the Role field, select Serverless VPC Access User.

    6. Click Save. Repeat these steps as necessary for multiple service projects.

    gcloud

    1. Find the service project's project number by running the following command, where SERVICE_PROJECT_ID is the ID of the service project:

      gcloud projects describe SERVICE_PROJECT_ID --format="value(projectNumber)"
      
    2. Grant the service project's Cloud Functions Service Agent appropriate permissions in the host project:

      gcloud projects add-iam-policy-binding HOST_PROJECT_ID \
      --member serviceAccount:service-SERVICE_PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com \
      --role roles/vpcaccess.user
      

      where HOST_PROJECT_ID is the ID of the Shared VPC host project, and SERVICE_PROJECT_NUMBER is the project number of the service project, from the previous step.

    Repeat these steps as necessary for multiple service projects.

  4. In service projects, when you deploy a function, specify the fully-qualified name of the host project's connector:

    projects/HOST_PROJECT_ID/locations/CONNECTOR_REGION/connectors/CONNECTOR_NAME
    

Next steps