Cloud Functions network settings enable you to control network ingress and egress to and from individual functions. For example, you can use network settings for the following use cases:
- Secure your functions by implementing network-based access control.
- Make a function's egress traffic adhere to firewall, DNS, and routing rules associated with your VPC network.
- Associate a function's egress traffic with a static IP address.
For more details about use cases, see the Example use cases section.
Ingress settings
Ingress settings restrict whether a function can be invoked by resources outside of your Google Cloud project or VPC Service Controls service perimeter. You can specify one of the following ingress setting values:
- Allow all traffic: Default. All inbound requests to the function are allowed, from both the internet and resources within the same project.
- Allow internal traffic only: Only requests from VPC
networks in the same project or
VPC Service Controls perimeter
are allowed. All other requests are denied with a
403
error.
Internal-only HTTP functions can only be invoked by HTTP requests that are created within a VPC network, such as those from Kubernetes Engine, Compute Engine, or the App Engine Flexible Environment. This means that events created by or routed through Pub/Sub, Eventarc, Cloud Scheduler, Cloud Tasks and Workflows cannot trigger these functions.
You can specify ingress settings when you deploy or update your function,
using the Google Cloud Console or the gcloud
command-line tool:
Console
Open the Functions Overview page in the Cloud Console:
Click Create function. Alternatively, click an existing function to go to its details page, and click Edit.
Expand the advanced settings by clicking Environment variables, networking, timeouts and more.
In the Networking section, select a value for Ingress settings.
gcloud
Use the gcloud functions deploy
command to deploy or update the
function and specify the
--ingress-settings
flag:
gcloud functions deploy FUNCTION_NAME \ --trigger-http \ --ingress-settings INGRESS_SETTINGS \ FLAGS...
where:
FUNCTION_NAME
is the name of your function.INGRESS_SETTINGS
is one of the supported values for ingress settings. The possible values are:all
internal-only
internal-and-gclb
: allows internal traffic as well as traffic sent to a public IP exposed by Cloud Load Balancing. Blocks traffic sent tocloudfunctions.net
or any custom domain set up through Cloud Functions. Prevents users from circumventing any access controls (Cloud Armor, IAP) they set up through Cloud Load Balancing.
FLAGS...
refers to other flags you pass to thedeploy
command.
If you use Google Cloud Armor with Cloud Load Balancing, you can create security policies that filter traffic-based conditions such as an incoming request's IP address, IP range, region code, or request headers. For more information, see Google Cloud Armor security policy overview.
Egress settings
Egress settings control the routing of outbound HTTP requests from a function. To specify egress settings, you must connect the function to a VPC network using a Serverless VPC Access connector. Egress settings control which types of traffic are routed through the connector to your VPC network.
For egress settings, you can specify:
- Route only requests to private IPs through the VPC connector: Default. Only requests to RFC 1918 and RFC 6598 IP address ranges or internal DNS names are routed to your VPC network. All other requests are routed directly to the internet.
Route all traffic through the VPC connector: All outbound requests from the function are routed to your VPC network.
You can specify egress settings when you deploy or update your function,
using the Cloud Console or the gcloud
command-line tool:
Console
Open the Functions Overview page in the Cloud Console:
Click Create function. Alternatively, click an existing function to go to its details page, and click Edit.
Expand the advanced settings by clicking Environment variables, networking, timeouts and more.
In the Networking section, under Egress settings, select a Serverless VPC Access connector.
Select the appropriate egress setting based on how you want to route outbound traffic through the connector.
gcloud
Use the gcloud functions deploy
command to deploy or update the
function and specify the
--egress-settings
flag:
gcloud functions deploy FUNCTION_NAME \ --vpc-connector CONNECTOR_NAME \ --egress-settings EGRESS_SETTINGS \ FLAGS...
where:
FUNCTION_NAME
is the name of your function.CONNECTOR_NAME
is the name of the Serverless VPC Access connector to use. See thegcloud
documentation for more information.EGRESS_SETTINGS
is one of the supported values for egress settings: seegcloud
documentation.FLAGS...
refers to other flags you pass to thedeploy
command.
Example use cases
Creating a function that cannot be called by external clients
You can secure your HTTP functions by allowing them to be called only by resources in the same Cloud project or VPC Service Controls service perimeter.
Deploy your function and allow internal traffic only. Use the Cloud Console or the
gcloud
command-line tool:Console
Open the Functions Overview page in the Cloud Console:
Click Create function. Alternatively, click an existing function to go to its details page, and click Edit.
Expand the advanced settings by clicking Environment variables, networking, timeouts and more.
In the Networking section, under Ingress settings, select Allow internal traffic only.
gcloud
Use the
gcloud functions deploy
command:gcloud functions deploy FUNCTION_NAME \ --ingress-settings internal-only \ FLAGS...
After you deploy your function, requests originating from outside of your Cloud project are blocked from reaching the function. If you use VPC Service Controls, requests from outside of the service perimeter are blocked. VM instances inside your project or service perimeter can still reach your function by making requests to its HTTPS endpoint.
If you want to call this restricted function from another function, the calling function must route its egress through your VPC network.
Routing function egress through your VPC network
VPC networks in Google Cloud support a rich set of configurations and networking features. By routing egress traffic from your function into your VPC network, you can ensure that Cloud Functions egress traffic follows your VPC network's firewall, DNS, routing, and other rules, and you can use products such as Cloud NAT.
Set up a VPC network. Configure an existing VPC network or create a new one by following the guide at Using VPC networks.
Set up a Serverless VPC Access connector. Cloud Functions need a Serverless VPC Access connector to route traffic into your VPC network. Create a connector and set up the appropriate permissions by following the instructions at Connecting to a VPC network.
Deploy a function that uses the connector and route all egress through the connector. Use the Cloud Console or the
gcloud
command-line tool:Console
Open the Functions Overview page in the Cloud Console:
Click Create function. Alternatively, click an existing function to go to its details page, and click Edit.
Expand the advanced settings by clicking Environment variables, networking, timeouts and more.
In the Networking section, under Egress settings, select your Serverless VPC Access connector and select Route all traffic through the VPC connector.
gcloud
Use the
gcloud functions deploy
command:gcloud functions deploy FUNCTION_NAME \ --vpc-connector CONNECTOR_NAME \ --egress-settings all \ FLAGS...
After you deploy your function, all traffic originating from your function is routed through your VPC network and adheres to the rules set on your VPC network. Note that your function is unable to access the public internet unless you configure Cloud NAT. Further note that you need your Cloud NAT to map all primary and secondary IP ranges for all subnets to the NAT gateway, in order to include the connector's subnet in the mapping.
Associating function egress with a static IP address
In some cases, you might want traffic originating from your function to be associated with a static IP address. For example, this is useful if you are calling an external service that only allows requests from explicitly specified IP addresses.
Route your function's egress through your VPC network. See the previous section, Routing function egress through your VPC network.
Set up Cloud NAT and specify a static IP address. Follow the guides at Specify subnet ranges for NAT and Specify IP addresses for NAT to set up Cloud NAT for the subnet associated with your function's Serverless VPC Access connector. As stated above, you need your Cloud NAT to map all primary and secondary IP ranges for all subnets to the NAT gateway, in order to include the connector's subnet in the mapping.
Multi-region load balancing
You can deploy a function to different regions, and allow the request to be be sent to the closest healthy region. To achieve this, you need to set up a serverless network endpoint group (NEG) for the function and connect it to a load balancer, as described in Setting up an HTTP(S) load balancer with serverless NEGs.