This page provides networking best practices, including using Direct VPC egress settings when sending outbound traffic from Cloud Run to a VPC network.
Use Direct VPC egress for faster network egress throughput
To achieve faster throughput across network egress connections, use Direct VPC egress to route traffic through your VPC network.
Example 1: External traffic to the internet
If you're sending external traffic to the public internet, route all traffic
through the VPC network by setting
--vpc-egress=all-traffic. With this
approach, you must set up Cloud NAT to reach the public internet. Note that
Cloud NAT is a paid product.
Example 2: Internal traffic to a Google API
If you're using Direct VPC egress to send traffic to a Google API, such as Cloud Storage, choose one of the following options:
- Specify
private-ranges-only(default) with Private Google Access:- Set the flag
--vpc-egress=private-ranges-only. - Enable Private Google Access.
- Configure DNS for Private Google Access.
Make sure your target domain (such as
storage.googleapis.com) maps to one of the following internal IP address ranges:199.36.153.8/30199.36.153.4/30
- Set the flag
- Specify
all-trafficwith Private Google Access:- Set the flag
--vpc-egress=all-traffic. - Enable Private Google Access.
- Set the flag
Avoid Cloud NAT with Cloud Run subnets
When you route internal IP address requests to the VPC network
(--vpc-egress=private-ranges-only),
avoid associating Cloud NAT with subnets that run Cloud Run
services or revisions. Otherwise, you can incur additional charges.
Connection Pooling and Reuse
When sending a large number of requests to a single destination IP address, use connection pooling to maintain and reuse connections to the destination. High connection rates to a single IP address can exhaust outbound ports and cause connection refused errors.
What's next
- Compare Direct VPC egress and VPC connectors.
- Use tags for testing, traffic migration and rollbacks.