Configuring network settings

Cloud Functions network settings enable you to control network ingress and egress to and from individual functions. For example, you can use network settings for the following use cases:

Secure your functions by implementing network-based access control.
Make a function's egress traffic adhere to firewall, DNS, and routing rules associated with your VPC network.
Associate a function's egress traffic with a static IP address.

For more details about use cases, see the Example use cases section.

Ingress settings

Ingress settings restrict whether a function can be invoked by resources outside of your Google Cloud project or VPC Service Controls service perimeter. You can specify one of the following ingress setting values:

Allow all traffic: Default. All inbound requests to the function are allowed, from both the internet and resources within the same project.
Allow internal traffic only: Only requests from VPC networks in the same project or VPC Service Controls perimeter are allowed. All other requests are denied with a 403 error.

Internal-only HTTP functions can only be invoked by HTTP requests that are created within a VPC network, such as those from Kubernetes Engine, Compute Engine, or the App Engine Flexible Environment. This means that events created by or routed through Pub/Sub, Eventarc, Cloud Scheduler, Cloud Tasks and Workflows cannot trigger these functions.

You can specify ingress settings when you deploy or update your function, using the Google Cloud Console or the gcloud command-line tool:

Console

Open the Functions Overview page in the Cloud Console:

Go to the Cloud Functions Overview page
Click Create function. Alternatively, click an existing function to go to its details page, and click Edit.
Expand the advanced settings by clicking Environment variables, networking, timeouts and more.
In the Networking section, select a value for Ingress settings.

gcloud

Use the gcloud functions deploy command to deploy or update the function and specify the --ingress-settings flag:

gcloud functions deploy FUNCTION_NAME \
--trigger-http \
--ingress-settings INGRESS_SETTINGS \
FLAGS...

where:

FUNCTION_NAME is the name of your function.
INGRESS_SETTINGS is one of the supported values for ingress settings. The possible values are:
- all
- internal-only
- internal-and-gclb: allows internal traffic as well as traffic sent to a public IP exposed by Cloud Load Balancing. Blocks traffic sent to cloudfunctions.net or any custom domain set up through Cloud Functions. Prevents users from circumventing any access controls (Cloud Armor, IAP) they set up through Cloud Load Balancing.
FLAGS... refers to other flags you pass to the deploy command.

If you use Google Cloud Armor with Cloud Load Balancing, you can create security policies that filter traffic-based conditions such as an incoming request's IP address, IP range, region code, or request headers. For more information, see Google Cloud Armor security policy overview.

Egress settings

Egress settings control the routing of outbound HTTP requests from a function. To specify egress settings, you must connect the function to a VPC network using a Serverless VPC Access connector. Egress settings control which types of traffic are routed through the connector to your VPC network.

For egress settings, you can specify:

Route only requests to private IPs through the VPC connector: Default. Only requests to RFC 1918 and RFC 6598 IP address ranges or internal DNS names are routed to your VPC network. All other requests are routed directly to the internet.
Route all traffic through the VPC connector: All outbound requests from the function are routed to your VPC network.

Note: Serverless VPC Access billing scales in proportion to the amount of traffic that passes through the connector. Review Serverless VPC Access pricing to understand cost implications.

You can specify egress settings when you deploy or update your function, using the Cloud Console or the gcloud command-line tool:

Console

Open the Functions Overview page in the Cloud Console:

Go to the Cloud Functions Overview page
Click Create function. Alternatively, click an existing function to go to its details page, and click Edit.
Expand the advanced settings by clicking Environment variables, networking, timeouts and more.
In the Networking section, under Egress settings, select a Serverless VPC Access connector.
Select the appropriate egress setting based on how you want to route outbound traffic through the connector.

gcloud

Use the gcloud functions deploy command to deploy or update the function and specify the --egress-settings flag:

gcloud functions deploy FUNCTION_NAME \
--vpc-connector CONNECTOR_NAME \
--egress-settings EGRESS_SETTINGS \
FLAGS...

where:

FUNCTION_NAME is the name of your function.
CONNECTOR_NAME is the name of the Serverless VPC Access connector to use. See the gcloud documentation for more information.

Note: You can omit the --vpc-connector flag if you are updating egress settings on an existing function that already has a connector.
EGRESS_SETTINGS is one of the supported values for egress settings: see gcloud documentation.
FLAGS... refers to other flags you pass to the deploy command.

Example use cases

Creating a function that cannot be called by external clients

You can secure your HTTP functions by allowing them to be called only by resources in the same Cloud project or VPC Service Controls service perimeter.

Deploy your function and allow internal traffic only. Use the Cloud Console or the gcloud command-line tool:
Console
1. Open the Functions Overview page in the Cloud Console:
  
  Go to the Cloud Functions Overview page
2. Click Create function. Alternatively, click an existing function to go to its details page, and click Edit.
3. Expand the advanced settings by clicking Environment variables, networking, timeouts and more.
4. In the Networking section, under Ingress settings, select Allow internal traffic only.
gcloud
Use the gcloud functions deploy command:
```
gcloud functions deploy FUNCTION_NAME \
--ingress-settings internal-only \
FLAGS...
```

After you deploy your function, requests originating from outside of your Cloud project are blocked from reaching the function. If you use VPC Service Controls, requests from outside of the service perimeter are blocked. VM instances inside your project or service perimeter can still reach your function by making requests to its HTTPS endpoint.

If you want to call this restricted function from another function, the calling function must route its egress through your VPC network.

Routing function egress through your VPC network

VPC networks in Google Cloud support a rich set of configurations and networking features. By routing egress traffic from your function into your VPC network, you can ensure that Cloud Functions egress traffic follows your VPC network's firewall, DNS, routing, and other rules, and you can use products such as Cloud NAT.

Set up a VPC network. Configure an existing VPC network or create a new one by following the guide at Using VPC networks.
Set up a Serverless VPC Access connector. Cloud Functions need a Serverless VPC Access connector to route traffic into your VPC network. Create a connector and set up the appropriate permissions by following the instructions at Connecting to a VPC network.
Deploy a function that uses the connector and route all egress through the connector. Use the Cloud Console or the gcloud command-line tool:
Console
1. Open the Functions Overview page in the Cloud Console:
  
  Go to the Cloud Functions Overview page
2. Click Create function. Alternatively, click an existing function to go to its details page, and click Edit.
3. Expand the advanced settings by clicking Environment variables, networking, timeouts and more.
4. In the Networking section, under Egress settings, select your Serverless VPC Access connector and select Route all traffic through the VPC connector.
gcloud
Use the gcloud functions deploy command:
```
gcloud functions deploy FUNCTION_NAME \
--vpc-connector CONNECTOR_NAME \
--egress-settings all \
FLAGS...
```

After you deploy your function, all traffic originating from your function is routed through your VPC network and adheres to the rules set on your VPC network. Note that your function is unable to access the public internet unless you configure Cloud NAT. Further note that you need your Cloud NAT to map all primary and secondary IP ranges for all subnets to the NAT gateway, in order to include the connector's subnet in the mapping.

Associating function egress with a static IP address

In some cases, you might want traffic originating from your function to be associated with a static IP address. For example, this is useful if you are calling an external service that only allows requests from explicitly specified IP addresses.

Route your function's egress through your VPC network. See the previous section, Routing function egress through your VPC network.
Set up Cloud NAT and specify a static IP address. Follow the guides at Specify subnet ranges for NAT and Specify IP addresses for NAT to set up Cloud NAT for the subnet associated with your function's Serverless VPC Access connector. As stated above, you need your Cloud NAT to map all primary and secondary IP ranges for all subnets to the NAT gateway, in order to include the connector's subnet in the mapping.

Multi-region load balancing

You can deploy a function to different regions, and allow the request to be be sent to the closest healthy region. To achieve this, you need to set up a serverless network endpoint group (NEG) for the function and connect it to a load balancer, as described in Setting up an HTTP(S) load balancer with serverless NEGs.