Stay organized with collections Save and categorize content based on your preferences.

Configuring network settings

Cloud Functions network settings enable you to control network ingress and egress to and from individual functions. For example, you can use network settings for the following use cases:

  • Secure your functions by implementing network-based access control.
  • Make a function's egress traffic adhere to firewall, DNS, and routing rules associated with your VPC network.
  • Associate a function's egress traffic with a static IP address.

For more details about use cases, see the Example use cases section.

Ingress settings

Ingress settings restrict whether a function can be invoked by resources outside of your Google Cloud project or VPC Service Controls service perimeter. You can specify one of the following ingress setting values:

  • Allow all traffic: Default. All inbound requests to the function are allowed, from both the internet and resources within the same project.
  • Allow internal traffic only: Only traffic from Cloud Tasks, Workflows, and VPC networks in the same project or VPC Service Controls perimeter is allowed. All other requests are denied with a 403 error. For requests from a Shared VPC, traffic is only considered internal if the function is deployed in the Shared VPC host project. If the function is deployed in a Shared VPC service project, only traffic from networks owned by the function's own project is internal. All other traffic, including traffic from other Shared VPCs without a VPC Service Controls perimeter, is external.
  • Allow internal traffic and traffic from Cloud Load Balancing: Traffic from Cloud Tasks, Workflows, and VPC networks in the same project or VPC Service Controls perimeter is allowed. Traffic from Cloud Load Balancing is allowed.

Internal-only HTTP functions can only be invoked by HTTP requests that are either created within a VPC network, such as those from Kubernetes Engine, Compute Engine, the App Engine Flexible Environment, or are made by Cloud Tasks or Workflows resources that are in the same project or VPC Service Controls perimeter. This means that events created by or routed through Cloud Scheduler, Pub/Sub or Eventarc cannot trigger these functions.

You can specify ingress settings when you deploy or update your function by using the Google Cloud console or the Google Cloud CLI:

Console

  1. Open the Functions Overview page in the Google Cloud console:

    Go to the Cloud Functions Overview page

  2. Click Create function. Alternatively, click an existing function to go to its details page, and click Edit.

  3. Expand the advanced settings by clicking Environment variables, networking, timeouts and more.

  4. In the Connections section, select a value for Ingress settings.

gcloud

Use the gcloud functions deploy command to deploy or update the function and specify the --ingress-settings flag:

gcloud functions deploy FUNCTION_NAME \
--trigger-http \
--ingress-settings INGRESS_SETTINGS \
FLAGS...

where:

  • FUNCTION_NAME is the name of your function.
  • INGRESS_SETTINGS is one of the supported values for ingress settings. The possible values are:

    • all
    • internal-only
    • internal-and-gclb: allows internal traffic as well as traffic sent to a public IP exposed by Cloud Load Balancing. Blocks traffic sent to cloudfunctions.net or any custom domain set up through Cloud Functions. Prevents users from circumventing any access controls (Cloud Armor, IAP) they set up through Cloud Load Balancing.
  • FLAGS... refers to other flags you pass to the deploy command.

If you use Google Cloud Armor with Cloud Load Balancing, you can create security policies that filter traffic-based conditions such as an incoming request's IP address, IP range, region code, or request headers. For more information, see Google Cloud Armor security policy overview.

Egress settings

Egress settings control the routing of outbound HTTP requests from a function. To specify egress settings, you must connect the function to a VPC network by using a Serverless VPC Access connector. Egress settings control which types of traffic are routed through the connector to your VPC network.

For egress settings, you can specify the following:

  • Route only requests to private IPs through the VPC connector: Default. Only requests to RFC 1918 and RFC 6598 IP address ranges or internal DNS names are routed to your VPC network. All other requests are routed directly to the internet.
  • Route all traffic through the VPC connector: All outbound requests from the function are routed to your VPC network. IPv6 traffic is not supported.

You can specify egress settings when you deploy or update your function by using the Google Cloud console or the Google Cloud CLI.

Console

  1. Open the Functions Overview page in the Google Cloud console:

    Go to the Cloud Functions Overview page

  2. Click Create function. Alternatively, click an existing function to go to its details page, and click Edit.

  3. Expand the advanced settings by clicking Environment variables, networking, timeouts and more.

  4. In the Connections section, under Egress settings, select a Serverless VPC Access connector.

  5. Select the appropriate egress setting based on how you want to route outbound traffic through the connector.

gcloud

Use the gcloud functions deploy command to deploy or update the function and specify the --egress-settings flag:

gcloud functions deploy FUNCTION_NAME \
--vpc-connector CONNECTOR_NAME \
--egress-settings EGRESS_SETTINGS \
FLAGS...

where:

  • FUNCTION_NAME is the name of your function.
  • CONNECTOR_NAME is the name of the Serverless VPC Access connector to use. See the gcloud documentation for more information.

  • EGRESS_SETTINGS is one of the supported values for egress settings: see gcloud documentation.

  • FLAGS... refers to other flags you pass to the deploy command.

Example use cases

Creating a function that cannot be called by external clients

You can secure your HTTP functions by allowing them to be called only by resources in the same Cloud project or VPC Service Controls service perimeter.

  1. Deploy your function and allow internal traffic only. Use the Google Cloud console or the Google Cloud CLI:

    Console

    1. Open the Functions Overview page in the Google Cloud console:

      Go to the Cloud Functions Overview page

    2. Click Create function. Alternatively, click an existing function to go to its details page, and click Edit.

    3. Expand the advanced settings by clicking Environment variables, networking, timeouts and more.

    4. In the Connections section, under Ingress settings, select Allow internal traffic only.

    gcloud

    Use the gcloud functions deploy command:

    gcloud functions deploy FUNCTION_NAME \
    --ingress-settings internal-only \
    FLAGS...
    

After you deploy your function, requests originating from outside of your Cloud project are blocked from reaching the function. If you use VPC Service Controls, requests from outside of the service perimeter are blocked. VM instances inside your project or service perimeter can still reach your function by making requests to its HTTPS endpoint.

If you want to call this restricted function from another function, the calling function must route its egress through your VPC network.

Using egress and ingress settings to restrict access

You can incorporate both ingress and egress to your services to add an additional layer of restriction.

  1. Clone the cloud-run-sample repository and change to the vpc-sample directory:

    git clone https://github.com/GoogleCloudPlatform/cloud-run-samples
    cd vpc-sample
    

  2. Install Python dependencies:

    pip3 install -r requirements.txt
    

  3. You can open the main.py file in the vpc-sample directory to see the function you are deploying:

    def hello_world(request):
        return "Hello World!"

  4. Deploy the function:

    gcloud functions deploy restricted-function 
    --runtime=python38
    --trigger-http
    --no-allow-unauthenticated
    --ingress-settings=internal-only
    --entry-point=hello_world

  5. Set up a Serverless VPC Access connector:

    gcloud compute networks vpc-access connectors create serverless-connector 
    --region=SERVICE_REGION
    --range=10.8.0.0/28

    where SERVICE_REGION is a region for your connector; this must match the region of your serverless service. If your service is in the region us-central or europe-west, use us-central1 or europe-west1.

  6. Build your container image:

    gcloud builds submit --tag=gcr.io/PROJECT_ID/restricted-function-caller .
    

    where PROJECT_ID is the project ID.

    This builds a container image that invokes get_hello_world when deployed from the main.py file:

    import os
    import urllib
    
    import google.auth.transport.requests
    import google.oauth2.id_token
    
    
    def get_hello_world(request):
        try:
            url = os.environ.get("URL")
            req = urllib.request.Request(url)
    
            auth_req = google.auth.transport.requests.Request()
            id_token = google.oauth2.id_token.fetch_id_token(auth_req, url)
            req.add_header("Authorization", f"Bearer {id_token}")
    
            response = urllib.request.urlopen(req)
            return response.read()
    
        except Exception as e:
            print(e)
            return str(e)

  7. Use the gcloud run deploy run-function command to deploy the Cloud Run container:

    gcloud run deploy run-function 
    --image gcr.io/PROJECT_ID/restricted-function-caller
    --no-allow-unauthenticated
    --update-env-vars=URL=https://SERVICE_REGION-PROJECT_ID.cloudfunctions.net/restricted-function-caller
    --vpc-egress=all
    --vpc-connector=serverless-connector
    --region=SERVICE_REGION

    where:

    • PROJECT_ID is the project ID.
    • SERVICE_REGION is a region for your connector; this must match the region of your serverless service. If your service is in the region us-central or europe-west, use us-central1 or europe-west1.

    The Cloud Run run-function service is now set to send a GET request via the VPC connector to the network-restricted function.

Routing function egress through your VPC network

VPC networks in Google Cloud support a rich set of configurations and networking features. By routing egress traffic from your function into your VPC network, you can ensure that Cloud Functions egress traffic follows your VPC network's firewall, DNS, routing, and other rules, and you can use products such as Cloud NAT.

  1. Set up a VPC network. Configure an existing VPC network or create a new one by following the guide at Using VPC networks.

  2. Set up a Serverless VPC Access connector. Cloud Functions need a Serverless VPC Access connector to route traffic into your VPC network. Create a connector and set up the appropriate permissions by following the instructions at Connecting to a VPC network.

  3. Deploy a function that uses the connector and route all egress through. the connector.** Use the Google Cloud console or the gcloud command-line tool:

    Console

    1. Open the Functions Overview page in the Google Cloud console:

      Go to the Cloud Functions Overview page

    2. Click Create function. Alternatively, click an existing function to go to its details page, and click Edit.

    3. Expand the advanced settings by clicking Environment variables, networking, timeouts and more.

    4. In the Connections section, under Egress settings, select your Serverless VPC Access connector and select Route all traffic through the VPC connector.

    gcloud

    Use the gcloud functions deploy command:

    gcloud functions deploy FUNCTION_NAME \
    --vpc-connector CONNECTOR_NAME \
    --egress-settings all \
    FLAGS...
    

After you deploy your function, all traffic originating from your function is routed through your VPC network and adheres to the rules set on your VPC network. Note that your function is unable to access the public internet unless you configure Cloud NAT. Further note that you need your Cloud NAT to map all primary and secondary IP ranges for all subnets to the NAT gateway, in order to include the connector's subnet in the mapping.

Associating function egress with a static IP address

In some cases, you might want traffic originating from your function to be associated with a static IP address. For example, this is useful if you are calling an external service that only allows requests from explicitly specified IP addresses.

  1. Route your function's egress through your VPC network. See the previous section, Routing function egress through your VPC network.

  2. Set up Cloud NAT and specify a static IP address. Follow the guides at Specify subnet ranges for NAT and Specify IP addresses for NAT to set up Cloud NAT for the subnet associated with your function's Serverless VPC Access connector. As stated above, you need your Cloud NAT to map all primary and secondary IP ranges for all subnets to the NAT gateway, in order to include the connector's subnet in the mapping.

Multi-region load balancing

You can deploy a function to different regions, and allow the request to be be sent to the closest healthy region. To achieve this, you need to set up a serverless network endpoint group (NEG) for the function and connect it to a load balancer, as described in Setting up an HTTP(S) load balancer with serverless NEGs.