Configure connectors in Shared VPC service projects

If your organization uses Shared VPC, you can set up Serverless VPC Access connectors in either the service project or the host project. This guide shows how to set up a connector in the service project.

If you need to set up a connector in the host project, see Configure connectors in the host project. To learn about the advantages of each method, see Connecting to a Shared VPC network.

At a high level, you must take the following steps:

1. Grant permissions
2. Create a subnet
3. In the page Configuring Serverless VPC Access, complete the steps in the following sections:
   • Create a Serverless VPC Access connector
   • Configure your serverless environment to use a connector
   • Configure firewall rules for connectors

Grant permissions to service accounts in your service projects

For each service project that will use VPC Connectors, a Shared VPC Admin must grant the Compute Network User role (compute.networkUser) in the host project to the service project cloudservices and vpcaccess service accounts.

To grant the role:

1. Use these commands:

   gcloud projects add-iam-policy-binding HOST_PROJECT_ID \
   --role "roles/compute.networkUser" \
   --member "serviceAccount:service-SERVICE_PROJECT_NUMBER@gcp-sa-vpcaccess.iam.gserviceaccount.com"

   gcloud projects add-iam-policy-binding HOST_PROJECT_ID \
   --role "roles/compute.networkUser" \
   --member "serviceAccount:SERVICE_PROJECT_NUMBER@cloudservices.gserviceaccount.com"

2. If the @gcp-sa-vpcaccess service account does not exist, turn on the Serverless VPC Access API in the service project and try again:

   gcloud services enable vpcaccess.googleapis.com

If you prefer not to grant these service accounts access to the entire Shared VPC network and would rather only grant access to specific subnets, you can instead grant these roles to these service accounts on specific subnets only.

Create a subnet

When using Shared VPC, the Shared VPC Admin must create a subnet for each connector. Follow the documentation in adding a subnet to add a /28 subnet to the Shared VPC network. This subnet must be in the same region as the serverless services that will use the connector.

Next steps

• In the page Configuring Serverless VPC Access, complete the steps in the following sections:
  • Create a Serverless VPC Access connector
  • Configure your serverless environment to use a connector