Connect to a VPC network

This page shows how to use Serverless VPC Access to connect a Cloud Run service directly to your VPC network, allowing access to Compute Engine VM instances, Memorystore instances, and any other resources with an internal IP address.

Before you begin

If you use Shared VPC, see Connecting to a Shared VPC network.

Create a Serverless VPC Access connector

To send requests to your VPC network and receive the corresponding responses without using the public internet, you must use a Serverless VPC Access connector.

You can create a connector by using the Google Cloud console, Google Cloud CLI, or Terraform:

Console

Ensure the Serverless VPC Access API is enabled for your project.

Enable API
Go to the Serverless VPC Access overview page.

Go to Serverless VPC Access
Click Create connector.
In the Name field, enter a name for your connector. This must be in accordance with the Compute Engine naming convention, with the additional restriction that it be less than 21 characters with hyphens (-) counting as two characters.
In the Region field, select a region for your connector. This must match the region of your serverless service.

If your service is in the region us-central or europe-west, use us-central1 or europe-west1.
In the Network field, select the VPC network to attach your connector to.
Click the Subnetwork pulldown menu:
- If you are using your own subnet (required for Shared VPC), select an unused /28 subnet.
  - Subnets must be used exclusively by the connector. They cannot be used by other resources such as VMs, Private Service Connect, or Internal HTTP(S) Load Balancing.
  - To confirm that your subnet is not used for Private Service Connect or Internal HTTP(S) Load Balancing, check that the subnet purpose is PRIVATE by running the following command in the gcloud CLI:
```
gcloud compute networks subnets describe SUBNET_NAME
```
    Replace:
    - SUBNET_NAME: the name of your subnet
- If you are not using Shared VPC, and prefer to have the connector create a subnet instead of creating one explicitly, select Custom IP range from the pulldown menu, then in the IP range field, enter the first address in an unreserved CIDR /28 internal IP range. This IP range must not overlap with any existing IP address reservations in your VPC network. For example, 10.8.0.0 (/28) will work in most new projects.
  
  Note: You can see which IP ranges are currently reserved in the Google Cloud console.
(Optional) To set scaling options for additional control over the connector, click Show Scaling Settings to display the scaling form.
1. Set the minimum and maximum number of instances for your connector, or use the defaults, which are 2 (min) and 10 (max). The connector scales out to the maximum specified if traffic usage requires it, but the connector does not scale back in when traffic decreases. You must use values between 2 and 10.
2. In the Instance Type pulldown menu, choose the machine type to be used for the connector, or use the default e2-micro. Notice the cost sidebar on the right when you choose the instance type, which displays bandwidth and cost estimations.
Click Create.
A green check mark will appear next to the connector's name when it is ready to use.

gcloud

Update gcloud components to the latest version:
```
gcloud components update
```
Ensure the Serverless VPC Access API is enabled for your project:
```
gcloud services enable vpcaccess.googleapis.com
```
If you are using your own subnet (required for Shared VPC), create a connector with the command:
```
gcloud compute networks vpc-access connectors create CONNECTOR_NAME \
--region REGION \
--subnet SUBNET \
# If you are not using Shared VPC, omit the following line.
--subnet-project HOST_PROJECT_ID \
# Optional: specify minimum and maximum instance values between 2 and 10, default is 2 min, 10 max.
--min-instances MIN \
--max-instances MAX \
# Optional: specify machine type, default is e2-micro
--machine-type MACHINE_TYPE
```
Replace the following:
- CONNECTOR_NAME: a name for your connector. This must be in accordance with the Compute Engine naming convention, with the additional restriction that it be less than 21 characters with hyphens (-) counting as two characters.
- REGION: a region for your connector; this must match the region of your serverless service. If your service is in the region us-central or europe-west, use us-central1 or europe-west1.
- SUBNET: the name of an unused /28 subnet.
  - Subnets must be used exclusively by the connector. They cannot be used by other resources such as VMs, Private Service Connect, or Internal HTTP(S) Load Balancing.
  - To confirm that your subnet is not used for Private Service Connect or Internal HTTP(S) Load Balancing, check that the subnet purpose is PRIVATE by running the following command in the gcloud CLI:
```
gcloud compute networks subnets describe SUBNET_NAME
```
    Replace:
    - SUBNET_NAME: the name of your subnet
- HOST_PROJECT_ID: the ID of the host project; supply this only if you are using Shared VPC
- MIN: the minimum number of instances to use for the connector. Use an integer between 2 and 9. Default is 2. To learn about connector scaling, see Throughput and scaling.
- MAX: the maximum number of instances to use for the connector. Use an integer between 3 and 10. Default is 10. If traffic requires it, the connector scales out to [MAX] instances, but does not scale back in. To learn about connector scaling, see Throughput and scaling.
- MACHINE_TYPE: f1-micro, e2-micro, or e2-standard-4. To learn about connector throughput, including machine type and scaling, see Throughput and scaling.
For more details and optional arguments, see the gcloud reference.
If you are not using Shared VPC and want to supply a custom IP range instead of using a subnet, create a connector with the command:
```
gcloud compute networks vpc-access connectors create CONNECTOR_NAME \
--network VPC_NETWORK \
--region REGION \
--range IP_RANGE
```
Replace the following:
- CONNECTOR_NAME: a name for your connector. This must be in accordance with the Compute Engine naming convention, with the additional restriction that it be less than 21 characters with hyphens (-) counting as two characters.
- VPC_NETWORK: the VPC network to attach your connector to
- REGION: a region for your connector. This must match the region of your serverless service. If your service is in the region us-central or europe-west, use us-central1 or europe-west1.
- IP_RANGE: an unreserved internal IP network, and a '/28' of unallocated space is required. The value supplied is the network in CIDR notation (10.8.0.0/28). This IP range must not overlap with any existing IP address reservations in your VPC network. For example, 10.8.0.0/28 works in most new projects.
Note: You can see which IP ranges are currently reserved in the Google Cloud console.

For more details and optional arguments such as throughput controls, see the gcloud reference.
Verify that your connector is in the READY state before using it:
```
gcloud compute networks vpc-access connectors describe CONNECTOR_NAME \
--region REGION
```
Replace the following:
- CONNECTOR_NAME: the name of your connector; this is the name that you specified in the previous step
- REGION: the region of your connector; this is the region that you specified in the previous step
The output should contain the line state: READY.

Terraform

You can use a Terraform resource to enable the vpcaccess.googleapis.com API.

examples/submodule_vpc_serverless_connector/main.tf

View on GitHub

resource "google_project_service" "vpcaccess-api" {
  project = var.project_id # Replace this with your project ID in quotes
  service = "vpcaccess.googleapis.com"
}

You can use Terraform modules to create a VPC network and subnet and then create the connector.

examples/submodule_vpc_serverless_connector/main.tf

View on GitHub

module "test-vpc-module" {
  source       = "terraform-google-modules/network/google"
  version      = "~> 3.3.0"
  project_id   = var.project_id # Replace this with your project ID in quotes
  network_name = "my-serverless-network"
  mtu          = 1460

  subnets = [
    {
      subnet_name   = "serverless-subnet"
      subnet_ip     = "10.10.10.0/28"
      subnet_region = "us-central1"
    }
  ]
}

module "serverless-connector" {
  source     = "terraform-google-modules/network/google//modules/vpc-serverless-connector-beta"
  project_id = var.project_id
  vpc_connectors = [{
    name        = "central-serverless"
    region      = "us-central1"
    subnet_name = module.test-vpc-module.subnets["us-central1/serverless-subnet"].name
    # host_project_id = var.host_project_id # Specify a host_project_id for shared VPC
    machine_type  = "e2-standard-4"
    min_instances = 2
    max_instances = 7
    }
    # Uncomment to specify an ip_cidr_range
    #   , {
    #     name          = "central-serverless2"
    #     region        = "us-central1"
    #     network       = module.test-vpc-module.network_name
    #     ip_cidr_range = "10.10.11.0/28"
    #     subnet_name   = null
    #     machine_type  = "e2-standard-4"
    #     min_instances = 2
    #   max_instances = 7 }
  ]
  depends_on = [
    google_project_service.vpcaccess-api
  ]
}

Configure your service to use a connector

After you have created a Serverless VPC Access connector, you must configure your Cloud Run service to use the connector. You can do this by using the Google Cloud console, Google Cloud CLI, or YAML file when you create a new service or deploy a new revision:

Console

Go to Cloud Run
Click Create Service if you are configuring a new service you are deploying to. If you are configuring an existing service, click on the service, then click Edit and Deploy New Revision.
If you are configuring a new service, fill out the initial service settings page as desired, then click Next > Container, Variables & Secrets, Connections, Security to reach the service configuration page.
Click the Connections tab.
In the VPC Connector field, select a connector to use or select None to disconnect your service from a VPC network.
Click Create or Deploy.

gcloud

To specify a connector during deployment, use the --vpc-connector flag:

gcloud run deploy SERVICE --image IMAGE_URL --vpc-connector CONNECTOR_NAME

Replace SERVICE with the name of your service.
Replace IMAGE_URL with a reference to the container image, for example, us-docker.pkg.dev/cloudrun/container/hello:latest.
Replace CONNECTOR_NAME with the name of your connector.

To attach, update, or remove a connector for an existing service, use the gcloud run services update command with either of the following flags as needed:

For example, to attach or update a connector:

gcloud run services update SERVICE --vpc-connector CONNECTOR_NAME

Replace SERVICE with the name of your service.
Replace CONNECTOR_NAME with the name of your connector.

YAML

You can download and view existing service configuration using the gcloud run services describe --format export command, which yields cleaned results in YAML format. You can then modify the fields described below and upload the modified YAML using the gcloud run services replace command. Make sure you only modify fields as documented.

To view and download the configuration:

gcloud run services describe SERVICE --format export > service.yaml

Add or update the run.googleapis.com/vpc-access-connector attribute under the annotations attribute under the top-level spec attribute:
```
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: SERVICE
spec:
  template:
    metadata:
      annotations:
        run.googleapis.com/vpc-access-connector: CONNECTOR_NAME
      name: REVISION
```
Replace:
- SERVICE with the name of your Cloud Run service.
- CONNECTOR_NAME with the name of your connector.
- REVISION with a new revision name or delete it (if present). If you supply a new revision name, it must meet the following criteria:
  - Starts with SERVICE-
  - Contains only lowercase letters, numbers and -
  - Does not end with a -
  - Does not exceed 63 characters
Replace the service with its new configuration using the following command:
```
gcloud run services replace service.yaml
```

Terraform

You can use a Terraform resource to create a service and configure it to use your connector.

cloudrun_vpc_access_connector/main.tf

View on GitHub

# Cloud Run service
resource "google_cloud_run_service" "gcr_service" {
  name     = "mygcrservice"
  provider = google-beta
  location = "us-west1"

  template {
    spec {
      containers {
        image = "us-docker.pkg.dev/cloudrun/container/hello"
        resources {
          limits = {
            cpu = "1000m"
            memory = "512M"
          }
        }
      }
      # the service uses this SA to call other Google Cloud APIs
      # service_account_name = myservice_runtime_sa
    }

    metadata {
      annotations = {
        # Limit scale up to prevent any cost blow outs!
        "autoscaling.knative.dev/maxScale" = "5"
        # Use the VPC Connector
        "run.googleapis.com/vpc-access-connector" = google_vpc_access_connector.connector.name
        # all egress from the service should go through the VPC Connector
        "run.googleapis.com/vpc-access-egress" = "all-traffic"
      }
    }
  }
  autogenerate_revision_name = true
}

Restrict access to VPC resources

You can restrict your connector's access to your VPC network by using firewall rules.

When connecting to a Shared VPC network with connectors in the service projects, firewall rules are not automatically created. A user with the Network Administrator role on the host project sets firewall rules when they configure the host project.

When connecting to a standalone VPC network or a Shared VPC network that has the connector in the host project, an implicit firewall rule with priority 1000 is automatically created on your VPC network to allow ingress from the connector's subnet or custom IP range to all destinations in the VPC network. The implicit firewall rule is not visible in the Google Cloud console and exists only as long as the associated connector exists. If you don't want your connector to be able to reach all destinations in your VPC network, you can restrict its access.

You can restrict connector access by creating ingress rules on the destination resource, or by creating egress rules on the VPC connector.

Restrict access using ingress rules

Choose either network tags or CIDR ranges to control the incoming traffic to your VPC network.

Network tags

The following steps show how to create ingress rules that restrict a connector's access to your VPC network based on the connector network tags.

Ensure that you have the required permissions to insert firewall rules. You must have one of the following Identity and Access Management (IAM) roles:
- Compute Security Admin role
- Custom IAM role with the compute.firewalls.create permission enabled
Deny connector traffic across your VPC network.

Create an ingress firewall rule with priority lower than 1000 on your VPC network to deny ingress from the connector network tag. This overrides the implicit firewall rule that Serverless VPC Access creates on your VPC network by default.
```
gcloud compute firewall-rules create RULE_NAME \
--action=DENY \
--source-tags=VPC_CONNECTOR_NETWORK_TAG \
--direction=INGRESS \
--network=VPC_NETWORK \
--priority=PRIORITY
```
Replace the following:
- RULE_NAME: the name of your new firewall rule. For example, deny-vpc-connector.
- VPC_CONNECTOR_NETWORK_TAG: the universal connector network tag if you want to restrict access for all connectors (including any connectors made in the future), or the unique network tag if you want to restrict access for a specific connector.
  - Universal network tag: vpc-connector
  - Unique network tag: vpc-connector-REGION-CONNECTOR_NAME
    
    Replace:
    - REGION: the region of the connector that you want to restrict
    - CONNECTOR_NAME: the name of the connector that you want to restrict
  To learn more about connector network tags, see Network tags.
- VPC_NETWORK: the name of your VPC network
- PRIORITY: an integer from 1-999, inclusive. For example, 990.
Allow connector traffic to the resource that should receive connector traffic.

Use the allow and target-tags flags to create an ingress firewall rule targeting the resource in your VPC network that you want the VPC connector to access. Set the priority for this rule to be a lower value than the priority of the rule you made in the previous step.
```
gcloud compute firewall-rules create RULE_NAME \
--allow=PROTOCOLS \
--source-tags=VPC_CONNECTOR_NETWORK_TAG \
--direction=INGRESS \
--network=VPC_NETWORK \
--target-tags=RESOURCE_TAG \
--priority=PRIORITY
```
Replace the following:
- RULE_NAME: the name of your new firewall rule. For example, allow-vpc-connector-for-select-resources.
- PROTOCOLS: the protocols you want to allow from your VPC connector. These can be one or more of the case-sensitive string values tcp, udp, icmp, esp, ah, sctp, or any IP protocol number. For port-based protocols—tcp, udp, and sctp—a list of destination ports or port ranges to which the rule applies may optionally be specified. For more information, see the documentation for the allow flag.
- VPC_CONNECTOR_NETWORK_TAG: the universal connector network tag if you want to restrict access for all connectors (including any connectors made in the future), or the unique network tag if you want to restrict access for a specific connector. This must match the network tag that you specified in the previous step.
  - Universal network tag: vpc-connector
  - Unique network tag: vpc-connector-REGION-CONNECTOR_NAME
    
    Replace:
    - REGION: the region of the connector that you want to restrict
    - CONNECTOR_NAME: the name of the connector that you want to restrict
  To learn more about connector network tags, see Network tags.
- VPC_NETWORK: the name of your VPC network
- RESOURCE_TAG: the network tag for the VPC resource that you want your VPC connector to access
- PRIORITY: an integer less than the priority you set in the previous step. For example, if you set the priority for the rule you created in the previous step to 990, try 980.

For more information about the required and optional flags for creating firewall rules, refer to the documentation for gcloud compute firewall-rules create.

CIDR range

The following steps show how to create ingress rules that restrict a connector's access to your VPC network based on the connector's CIDR range.

Ensure that you have the required permissions to insert firewall rules. You must have one of the following Identity and Access Management (IAM) roles:
- Compute Security Admin role
- Custom IAM role with the compute.firewalls.create permission enabled
Deny connector traffic across your VPC network.

Create an ingress firewall rule with priority lower than 1000 on your VPC network to deny ingress from the connector's CIDR range. This overrides the implicit firewall rule that Serverless VPC Access creates on your VPC network by default.
```
gcloud compute firewall-rules create RULE_NAME \
--action=DENY \
--source-ranges=VPC_CONNECTOR_CIDR_RANGE \
--direction=INGRESS \
--network=VPC_NETWORK \
--priority=PRIORITY
```
Replace the following:
- RULE_NAME: the name of your new firewall rule. For example, deny-vpc-connector.
- VPC_CONNECTOR_CIDR_RANGE: the CIDR range for the connector whose access you are restricting
- VPC_NETWORK: the name of your VPC network
- PRIORITY: an integer from 1-999. For example, 990.
Allow connector traffic to the resource that should receive connector traffic.

Use the allow and target-tags flags to create an ingress firewall rule targeting the resource in your VPC network that you want the VPC connector to access. Set the priority for this rule to be a lower value than the priority of the rule you made in the previous step.
```
gcloud compute firewall-rules create RULE_NAME \
--allow=PROTOCOLS \
--source-ranges=VPC_CONNECTOR_CIDR_RANGE \
--direction=INGRESS \
--network=VPC_NETWORK \
--target-tags=RESOURCE_TAG \
--priority=PRIORITY
```
Replace the following:
- RULE_NAME: the name of your new firewall rule. For example, allow-vpc-connector-for-select-resources.
- PROTOCOLS: the protocols you want to allow from your VPC connector. These can be one or more of the case-sensitive string values tcp, udp, icmp, esp, ah, sctp, or any IP protocol number. For port-based protocols—tcp, udp, and sctp—a list of destination ports or port ranges to which the rule applies may optionally be specified. For more information, see the documentation for the allow flag.
- VPC_CONNECTOR_CIDR_RANGE: the CIDR range for the connector you whose access you are restricting
- VPC_NETWORK: the name of your VPC network
- RESOURCE_TAG: the network tag for the VPC resource that you want your VPC connector to access
- PRIORITY: an integer less than the priority you set in the previous step. For example, if you set the priority for the rule you created in the previous step to 990, try 980.

For more information about the required and optional flags for creating firewall rules, see the documentation for gcloud compute firewall-rules create.

Restrict access using egress rules

The following steps show how to create egress rules to restrict connector access.

Ensure that you have the required permissions to insert firewall rules. You must have one of the following Identity and Access Management (IAM) roles:
- Compute Security Admin role
- Custom IAM role with the compute.firewalls.create permission enabled
Deny egress traffic from your connector.

Create an egress firewall rule on your Serverless VPC Access connector to prevent it from sending outgoing traffic.
```
gcloud compute firewall-rules create RULE_NAME \
--action=DENY \
--direction=EGRESS \
--target-tags=VPC_CONNECTOR_NETWORK_TAG \
--network=VPC_NETWORK \
--priority=PRIORITY
```
Replace the following:
- RULE_NAME: the name of your new firewall rule. For example, deny-vpc-connector.
- VPC_CONNECTOR_NETWORK_TAG: the universal VPC connector network tag if you want the rule to apply to all existing VPC connectors and any VPC connectors made in the future. Or, the unique VPC connector network tag if you want to control a specific connector.
- VPC_NETWORK: the name of your VPC network
- PRIORITY: an integer from 1-999. For example, 990.
Allow egress traffic when the destination is in the CIDR range that you want your connector to access.

Use the allow and destination-ranges flags to create a firewall rule allowing egress traffic from your connector for a specific destination range. Set the destination range to the CIDR range of the resource in your VPC network that you want your connector to be able to access. Set the priority for this rule to be a lower value than the priority of the rule you made in the previous step.
```
gcloud compute firewall-rules create RULE_NAME \
--allow=PROTOCOLS \
--destination-ranges=RESOURCE_CIDR_RANGE \
--direction=EGRESS \
--network=VPC_NETWORK \
--target-tags=VPC_CONNECTOR_NETWORK_TAG \
--priority=PRIORITY
```
Replace the following:
- RULE_NAME: the name of your new firewall rule. For example, allow-vpc-connector-for-select-resources.
- PROTOCOLS: the protocols you want to allow from your VPC connector. These can be one or more of the case-sensitive string values tcp, udp, icmp, esp, ah, sctp, or any IP protocol number. For port-based protocols—tcp, udp, and sctp—a list of destination ports or port ranges to which the rule applies may optionally be specified. For more information, see the documentation for the allow flag.
- RESOURCE_CIDR_RANGE: the CIDR range for the connector whose access you are restricting
- VPC_NETWORK: the name of your VPC network
- VPC_CONNECTOR_NETWORK_TAG: the universal VPC connector network tag if you want the rule to apply to all existing VPC connectors and any VPC connectors made in the future. Or, the unique VPC connector network tag if you want to control a specific connector. If you used the unique network tag in the previous step, use the unique network tag.
- PRIORITY: an integer less than the priority you set in the previous step. For example, if you set the priority for the rule you created in the previous step to 990, try 980.

For more information about the required and optional flags for creating firewall rules, refer to the documentation for gcloud compute firewall-rules create.

Manage your connector

Control egress traffic from a service

By default, only requests to internal IP addresses and internal DNS names are routed through a Serverless VPC Access connector. In some cases however, you might want all outbound requests from your service to be routed to your VPC network. For example, if you want your VPC network's firewall rules to prevent outbound Cloud Run traffic from reaching dangerous or unwanted hosts, then you must route all outbound requests from your service through a Serverless VPC Access connector.

For control over routing outbound requests from your service, you can set the VPC egress to one of the following options:

Route only requests to private IPs through the VPC connector: Default. Only requests to RFC 1918 and RFC 6598 IP address ranges or internal DNS names are routed to your VPC network. All other requests are routed directly to the internet.
Route all traffic through the VPC connector: All outbound requests from the service are routed to your VPC network. Requests will adhere to the network's firewall, DNS, and routing rules.

Note: Serverless VPC Access billing scales in proportion to the amount of traffic that passes through the connector. Review Serverless VPC Access pricing to understand cost implications.

You can specify a VPC egress setting by using the Google Cloud console, Google Cloud CLI, or YAML file when you create a new service or deploy a new revision:

Console

Go to Cloud Run
Click Create Service if you are configuring a new service you are deploying to. If you are configuring an existing service, click on the service, then click Edit and Deploy New Revision.
If you are configuring a new service, fill out the initial service settings page as desired, then click Next > Container, Variables & Secrets, Connections, Security to reach the service configuration page.
Click the Connections tab.
After you select a VPC connector, select Route only requests to private IPs through the VPC connector or Route all traffic through the VPC connector.
Click Create or Deploy.

gcloud

To specify an egress setting, use the --vpc-egress flag. You can specify an egress setting during deployment:

gcloud run deploy SERVICE \
--image IMAGE_URL \
--vpc-connector CONNECTOR_NAME \
--vpc-egress EGRESS_SETTING

Replace SERVICE with the name of your service.
Replace IMAGE_URL with a reference to the container image, for example, us-docker.pkg.dev/cloudrun/container/hello:latest.
Replace CONNECTOR_NAME with the name of your connector.
Replace EGRESS_SETTING with an egress setting value:
- all-traffic: Sends all outbound traffic through the connector.
- private-ranges-only: Sends only traffic to internal addresses through the VPC connector.

You can also update an existing service and change the egress setting:

gcloud run services update SERVICE --vpc-egress EGRESS_SETTING

Replace SERVICE with the name of your service.
Replace EGRESS_SETTING with an egress setting value as listed above.

YAML

To view and download the configuration:

gcloud run services describe SERVICE --format export > service.yaml

Add or update the run.googleapis.com/vpc-access-egress attribute under the annotations attribute under the top-level spec attribute:
```
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: SERVICE
spec:
  template:
    metadata:
      annotations:
        run.googleapis.com/vpc-access-connector: CONNECTOR_NAME
        run.googleapis.com/vpc-access-egress: EGRESS_SETTING
      name: REVISION
```
Replace:
- SERVICE with the name of your Cloud Run service.
- CONNECTOR_NAME with the name of your connector. The run.googleapis.com/vpc-access-connector attribute is required when specifying an egress setting.
- EGRESS_SETTING with one of the following:
  - all-traffic: Sends all outbound traffic through the connector.
  - private-ranges-only: Sends only traffic to internal addresses through the VPC connector.
  - REVISION with a new revision name or delete it (if present). If you supply a new revision name, it must meet the following criteria:
    - Starts with SERVICE-
    - Contains only lowercase letters, numbers and -
    - Does not end with a -
    - Does not exceed 63 characters
Replace the service with its new configuration using the following command:
```
gcloud run services replace service.yaml
```

View Serverless VPC Access connector settings

You can view the current Serverless VPC Access connector settings for your service using the Google Cloud console or the gcloud command-line tool:

Console

Go to Cloud Run
Click the service you are interested in to open the Service details page.
Click the Revisions tab.
In the details panel at the right, the Serverless VPC Access connector setting is listed under the Connections tab.

gcloud

Use the following command:
```
gcloud run services describe SERVICE
```
Locate the Serverless VPC Access connector setting in the returned configuration.

Disconnect a service from a VPC network

You can disconnect a service from your VPC network using the Google Cloud console or the Google Cloud CLI:

Console

Go to Cloud Run
Click Create Service if you are configuring a new service you are deploying to. If you are configuring an existing service, click on the service, then click Edit and Deploy New Revision.
If you are configuring a new service, fill out the initial service settings page as desired, then click Next > Container, Variables & Secrets, Connections, Security to reach the service configuration page.
Click the Connections tab.
In the VPC Connector field, select None to disconnect your service from a VPC network.
Click Create or Deploy.

gcloud

Use the gcloud run services update command with the following flag:

--clear-vpc-connector

gcloud run services update SERVICE --clear-vpc-connector

Replace SERVICE with the name of your service.

Connectors continue to incur charges even if they have no traffic and are disconnected. For details, see pricing. If you no longer need your connector, be sure to delete it to avoid continued billing.

Delete a connector

Before you delete a connector, ensure that no services are still connected to it.

For Shared VPC users who set up connectors in the Shared VPC host project, you can use the command gcloud compute networks vpc-access connectors describe to list the projects in which there are services that use a given connector.

To delete a connector, use the Google Cloud console or the Google Cloud CLI:

Console

Go to the Serverless VPC Access overview page in the Google Cloud console:

Go to Serverless VPC Access
Select the connector you want to delete.
Click Delete.

gcloud

Use the following gcloud command to delete a connector:

gcloud compute networks vpc-access connectors delete CONNECTOR_NAME --region=REGION

Replace the following:

CONNECTOR_NAME with the name of the connector you want to delete
REGION with the region where the connector is located

Troubleshooting

Service account permissions

To perform operations in your Cloud project, Serverless VPC Access uses the Serverless VPC Access Service Agent service account. This service account's email address has the following form:

service-PROJECT_NUMBER@gcp-sa-vpcaccess.iam.gserviceaccount.com

By default, this service account has the Serverless VPC Access Service Agent role (roles/vpcaccess.serviceAgent). Serverless VPC Access operations may fail if you change this account's permissions.

Errors

If creating a connector results in an error, try the following:

Specify an RFC 1918 internal IP range that does not overlap with any existing IP address reservations in the VPC network.
Grant your project permission to use Compute Engine VM images from the project with ID serverless-vpc-access-images. See Setting image access constraints for information on how to update your organization policy accordingly.
Set the constraints/compute.vmCanIpForward organization policy to allow VMs to enable IP forwarding.

If you've specified a connector but still cannot access resources in your VPC network:

Make sure there are no firewall rules on your VPC network with a priority before 1000 that deny ingress from your connector's IP range.

Next steps

Monitor admin activity with Serverless VPC Access audit logging.
Protect resources and data by creating a service perimeter with VPC Service Controls.
Use Identity and Access Management (IAM) roles associated with Serverless VPC Access. See Serverless VPC Access roles in the IAM documentation for a list of permissions associated with each role.
Connect to Memorystore.