Both of these methods allow access to Compute Engine VM instances, Memorystore instances, and any other resources with an internal IP address.
Inbound and outbound requests
When using Direct VPC egress or Serverless VPC Access connectors, outbound connections initiated by Cloud Run services and jobs route directly to and from their destination.
Inbound requests sent from your VPC network to Cloud Run route through a custom load balancer, not through Direct VPC egress or Serverless VPC Access connectors.
To learn more about sending requests from your VPC network to Cloud Run, see Receive requests from VPC networks.
Direct VPC egress
Direct VPC egress brings enhanced infrastructure and simpler VPC egress configuration to Cloud Run, including the following advantages:
- Setup: Cloud Run services and jobs can send traffic to a VPC network without the overhead of managing a Serverless VPC Access connector.
- Cost: You only pay for network traffic charges, which scale to zero just like the service itself.
- Security: You can use network tags directly on service revisions for more granular network security.
- Performance: Lower latency, higher throughput.
Serverless VPC Access connectors
Serverless VPC Access connectors also let you send requests to your VPC network and receive the corresponding responses without using the public internet. Setup requires additional maintenance and cost with lower performance than Direct VPC egress offers.
See the comparison table for details.
Comparison table
Feature | Direct VPC egress | Serverless VPC Access connector |
---|---|---|
Latency | Lower | Higher |
Throughput | Higher | Lower |
IP allocation | Uses more IP addresses in most cases | Uses fewer IP addresses |
Cost | No additional VM charges | Incurs additional VM charges |
Scaling speed | Instance autoscaling is slower during traffic surges while new VPC network interfaces are created. | Network latency occurs during VPC network traffic surges while more connector instances are created. |
Network tags | Finer granularity. Each service or job can have its own unique sets of tags; firewall rules applied separately. | Less granularity. Shared across services and jobs that use the same connectors; firewall rules applied at the connector level. |
Google Cloud console | Supported | Supported |
Google Cloud CLI | Supported | Supported |
Launch stage | GA (with the exception of Cloud Run jobs) | GA |
Pricing
For pricing information, see Cloud Run pricing.
With Serverless VPC Access connectors, you pay for two types of charges: Compute (billed as Compute Engine VMs) and network egress (billed as traffic from VMs). With Direct VPC egress, you pay only for network egress (at the same rate as connectors). You do not pay any compute charges.
If you use Serverless VPC Access connectors, you can view your associated costs as follows:
- Go to the Cloud Billing Reports page in the Google Cloud console.
- If prompted, select the billing account associated with your Google Cloud project.
- In the Filters panel, under Labels,
add a label filter with the key
serverless-vpc-access
. - In the Value field, select the names of the connectors that you want to filter for.
Next steps
- Learn how to configure your service with Direct VPC egress.
- Learn how to configure your job with Direct VPC egress.
- See information about Direct VPC egress with a Shared VPC network.
- Learn how to configure your service with Serverless VPC Access connectors.
- Learn how to configure your job
with Serverless VPC Access connectors.