This page shows how to use Serverless VPC Access to connect a Cloud Run (fully managed) service directly to your VPC network, allowing access to Compute Engine VM instances, Memorystore instances, and any other resources with an internal IP address.
To use Serverless VPC Access, you must first create a Serverless VPC Access connector in your service's project to handle communication to your VPC network. After you create a connector, set your Cloud Run (fully managed) service configuration to use the connector.
Creating a Serverless VPC Access connector
For detailed instructions on creating Serverless VPC Access connectors, refer to Creating a connector.
Configuring a service to use a connector
You can configure a service to use a connector from the Cloud Console, command line, or YAML file when you create a new service or deploy a new revision:
Console
Click Create Service if you are configuring a new service you are deploying to. If you are configuring an existing service, click on the service, then click Edit and Deploy New Revision.
Under Advanced Settings, click Connections.
In the VPC Connector field, select a connector to use or select None to disconnect your service from a VPC network.
Click Create or Deploy.
Command line
To specify a connector during
deployment, use the
--vpc-connector
flag:
gcloud run deploy SERVICE --image IMAGE_URL --vpc-connector CONNECTOR_NAME
- Replace
SERVICE
with the name of your service. - Replace
IMAGE_URL
with a reference to the container image, for example,gcr.io/myproject/my-image:latest
. - Replace
CONNECTOR_NAME
with the name of your connector.
To attach, update, or remove a connector for an existing service, use the
gcloud run services update
command with either of the following flags as needed:
For example to attach or update a connector:
gcloud run services update SERVICE --vpc-connector CONNECTOR_NAME
- Replace
SERVICE
with the name of your service. - Replace
CONNECTOR_NAME
with the name of your connector.
YAML
You can download and view existing service configuration using the
gcloud run services describe --format export
command, which yields
cleaned results in YAML format. You can then modify the fields described below and
upload the modified YAML using the gcloud beta run services replace
command.
Make sure you only modify fields as documented.
To view and download the configuration:
gcloud run services describe SERVICE --format export > service.yaml
Add or update the
run.googleapis.com/vpc-access-connector
attribute under theannotations
attribute under the top-levelspec
attribute:apiVersion: serving.knative.dev/v1 kind: Service metadata: name: SERVICE spec: template: metadata: annotations: run.googleapis.com/vpc-access-connector: CONNECTOR_NAME
- Replace
SERVICE
with the name of your Cloud Run (fully managed) service. - Replace
CONNECTOR_NAME
with the name of your connector.
- Replace
Replace the service with its new configuration using the following command:
gcloud beta run services replace service.yaml
Connecting to a Shared VPC network
If your organization uses Shared VPC, a Cloud Run (fully managed) service in a Shared VPC service project can connect to a Shared VPC network after some configuration in the Shared VPC host project.
Configure the host project for Shared VPC following the instructions at Configuring the host project if using Shared VPC.
Create the connector for Shared VPC following the instructions at Creating a connector.
When you deploy or update a Cloud Run (fully managed) service in your service project, specify the connector in the console UI using the using the VPC Connector pulldown menu in the Connections tab, or if using the
gcloud
command line, specify the connector using the--vpc-connector
flag.
Controlling egress traffic from a service
By default, only requests to internal IP addresses and internal DNS names are routed through a Serverless VPC Access connector. In some cases, however, you might want all outbound requests from your service to be routed to your VPC network, for example to prevent outbound traffic to dangerous or unwanted hosts with your network's firewall rules.
For control over routing outbound requests from your service, you can set the VPC egress to one of the following options:
- Route only requests to private IPs through the VPC connector: Default. Only requests to RFC 1918 and RFC 6598 IP address ranges or internal DNS names are routed to your VPC network. All other requests are routed directly to the internet.
Route all traffic through the VPC connector: All outbound requests from the service are routed to your VPC network. Requests will adhere to the network's firewall, DNS, and routing rules.
You can specify a VPC egress setting from the Cloud Console, command line, or YAML file when you create a new service or deploy a new revision:
Console
Click Create Service if you are configuring a new service you are deploying to. If you are configuring an existing service, click on the service, then click Edit and Deploy New Revision.
Under Advanced Settings, click Connections.
After you select a VPC connector, select Route only requests to private IPs through the VPC connector or Route all traffic through the VPC connector.
Click Create or Deploy.
Command line
To specify an egress setting, use the --vpc-egress
flag. You can specify
an egress setting during deployment:
gcloud run deploy SERVICE \ --image IMAGE_URL \ --vpc-connector CONNECTOR_NAME \ --vpc-egress EGRESS_SETTING
- Replace
SERVICE
with the name of your service. - Replace
IMAGE_URL
with a reference to the container image, for example,gcr.io/myproject/my-image:latest
. - Replace
CONNECTOR_NAME
with the name of your connector. - Replace
EGRESS_SETTING
with an egress setting value:all
: Sends all outbound traffic through the connector.private-ranges-only
: Sends only traffic to internal addresses through the VPC connector.
You can also update an existing service and change the egress setting:
gcloud run services update SERVICE --vpc-egress EGRESS_SETTING
- Replace
SERVICE
with the name of your service. - Replace
EGRESS_SETTING
with an egress setting value as listed above.
YAML
You can download and view existing service configuration using the
gcloud run services describe --format export
command, which yields
cleaned results in YAML format. You can then modify the fields described below and
upload the modified YAML using the gcloud beta run services replace
command.
Make sure you only modify fields as documented.
To view and download the configuration:
gcloud run services describe SERVICE --format export > service.yaml
Add or update the
run.googleapis.com/vpc-access-egress
attribute under theannotations
attribute under the top-levelspec
attribute:apiVersion: serving.knative.dev/v1 kind: Service metadata: name: SERVICE spec: template: metadata: annotations: run.googleapis.com/vpc-access-connector: CONNECTOR_NAME run.googleapis.com/vpc-access-egress: EGRESS_SETTING
- Replace
SERVICE
with the name of your Cloud Run (fully managed) service. - Replace
CONNECTOR_NAME
with the name of your connector. Therun.googleapis.com/vpc-access-connector
attribute is required when specifying an egress setting. - Replace
EGRESS_SETTING
with one of the following:all
: Sends all outbound traffic through the connector.private-ranges-only
: Sends only traffic to internal addresses through the VPC connector.
- Replace
Replace the service with its new configuration using the following command:
gcloud beta run services replace service.yaml
Next steps
- Learn more about Serverless VPC Access.
- Learn how to connect to Memorystore from Cloud Run (fully managed).