Migrate standard VPC connector to Direct VPC egress

This page is for networking specialists who want to migrate standard VPC network traffic from using Serverless VPC Access connectors to using Direct VPC egress when sending traffic to a VPC network.

Direct VPC egress is faster and can handle more traffic than connectors, delivering lower latency and higher throughput because it uses a new, direct network path rather than connector instances.

Before migration, we recommend that you familiarize yourself with Direct VPC egress prerequisites, limitations, IP address allocation, and IAM permissions.

Migrate services to Direct VPC egress

Migrate services to Direct VPC egress gradually

When you migrate Cloud Run services from Serverless VPC Access connectors to Direct VPC egress, we recommend that you do so in a gradual transition.

To transition gradually:

  1. Follow the instructions in this section to update your service to use Direct VPC egress.
  2. Split a small percentage of traffic to determine whether the traffic works correctly.
  3. Update the traffic split to send all traffic to the new revision using Direct VPC egress.

To migrate traffic with Direct VPC egress for a service, use the Google Cloud console or Google Cloud CLI:

Console

  1. In the Google Cloud console, go to the Cloud Run page.

    Go to Cloud Run

  2. Click the service that you want to migrate from a connector to Direct VPC egress, then click Edit and deploy new revision.

  3. Click the Networking tab.

  4. From Connect to a VPC for outbound traffic, click Send traffic directly to a VPC.

  5. In the Network field, select the VPC network that you want to send traffic to.

  6. In the Subnet field, select the subnet where your service receives IP addresses from. You can deploy multiple services on the same subnet.

  7. Optional: Enter the names of the network tags that you want to associate with your service or services. Network tags are specified at the revision-level. Each service revision can have different network tags, such as network-tag-2.

  8. For Traffic routing, select one of the following:

    • Route only requests to private IPs to the VPC to send only traffic to internal addresses through the VPC network.
    • Route all traffic to the VPC to send all outbound traffic through the VPC network.
  9. Click Deploy.

  10. To verify that your service is on your VPC network, click the service, then click the Networking tab. The network and subnet are listed in the VPC card.

    You can now send requests directly from your Cloud Run service to any resource on the VPC network, as allowed by your firewall rules.

gcloud

To migrate a Cloud Run service from a connector to Direct VPC egress using the Google Cloud CLI:

  1. Update your Cloud Run service with the following command:

    gcloud beta run services update SERVICE_NAME \
    --clear-vpc-connector \
    --network=NETWORK \
    --subnet=SUBNET \
    --network-tags=NETWORK_TAG_NAMES \
    --vpc-egress=EGRESS_SETTING \
    --region=REGION
    

    Replace:

    • SERVICE_NAME with the name of your service.
    • NETWORK with the name of your VPC network.
    • SUBNET with the name of your subnet. You can deploy or execute multiple services or jobs on the same subnet.
    • Optional: NETWORK_TAG_NAMES with the comma-separated names of the network tags you want to associate with a service. For services, network tags are specified at the revision-level. Each service revision can have different network tags, such as network-tag-2.
    • EGRESS_SETTING with an egress setting value:
      • all-traffic: Sends all outbound traffic through the VPC network.
      • private-ranges-only: Sends only traffic to internal addresses through the VPC network.
    • REGION with a region for your service.
  2. To verify that your service is on your VPC network, run the following command:

    gcloud beta run services describe SERVICE_NAME \
    --region=REGION
    

    Replace:

    • SERVICE_NAME with the name of your service.
    • REGION with the region for your service that you specified in the previous step.

    The output should contain the name of your network, subnet, and egress setting, for example:

    VPC access:
      Network:       default
      Subnet:        subnet
      Egress:        private-ranges-only
    

You can now send requests from your Cloud Run service to any resource on the VPC network, as allowed by your firewall rules.

Migrate jobs to Direct VPC egress

You can migrate traffic with Direct VPC egress for a job by using the Google Cloud console or Google Cloud CLI.

Console

  1. In the Google Cloud console, go to the Cloud Run page.

    Go to Cloud Run

  2. Click the job that you want to migrate from a connector to Direct VPC egress, then click Edit.

  3. Click the Networking tab.

  4. Click Container, Variables & Secrets, Connections, Security to expand the job properties page.

  5. Click the Connections tab.

  6. From Connect to a VPC for outbound traffic, click Send traffic directly to a VPC.

  7. In the Network field, select the VPC network that you want to send traffic to.

  8. In the Subnet field, select the subnet where your job receives IP addresses from. You can deploy multiple jobs on the same subnet.

  9. Optional: Enter the names of the network tags that you want to associate with your service or services. Network tags are specified at the revision-level. Each service revision can have different network tags, such as network-tag-2.

  10. For Traffic routing, select one of the following:

    • Route only requests to private IPs to the VPC to send only traffic to internal addresses through the VPC network.
    • Route all traffic to the VPC to send all outbound traffic through the VPC network.
  11. Click Update.

  12. To verify that your job is on your VPC network, click the job, then click the Configuration tab. The network and subnet are listed in the VPC card.

You can now execute your Cloud Run job and send requests from the job to any resource on the VPC network, as allowed by your firewall rules.

gcloud

To migrate a Cloud Run job from a connector to Direct VPC egress using the Google Cloud CLI:

  1. Update your Cloud Run job with the following command:

    gcloud run jobs update JOB_NAME \
    --clear-network \
    --image=IMAGE_URL \
    --network=NETWORK \
    --subnet=SUBNET \
    --network-tags=NETWORK_TAG_NAMES \
    --vpc-egress=EGRESS_SETTING \
    --region=REGION
    

    Replace:

    • JOB_NAME with the name of your job.
    • NETWORK with the name of your VPC network.
    • SUBNET with the name of your subnet. You can deploy or execute multiple services or jobs on the same subnet.
    • Optional: NETWORK_TAG_NAMES with the names of the network tags you want to associate with a job. For jobs, network tags are specified at the execution-level. Each job execution can have different network tags, such as network-tag-2.
    • EGRESS_SETTING with an egress setting value:
      • all-traffic: Sends all outbound traffic through the VPC network.
      • private-ranges-only: Sends only traffic to internal addresses through the VPC network.
    • REGION with a region for your job.
  2. To verify that your job is on your VPC network, run the following command:

    gcloud beta run jobs describe JOB_NAME \
    --region=REGION
    

    Replace:

    • JOB_NAME with the name of your job.
    • REGION with the region for your job that you specified in the previous step.

    The output should contain the name of your network, subnet, and egress setting, for example:

    VPC access:
      Network:       default
      Subnet:        subnet
      Egress:        private-ranges-only
    

You can now send requests from your Cloud Run job to any resource on the VPC network, as allowed by your firewall rules.