You can enable your Cloud Run service or job to send traffic to a Shared VPC network by using Direct VPC egress with no Serverless VPC Access connector required.
This page describes how to configure Cloud Run's IAM permissions to use the subnet of the Shared VPC network, and then place your service or job on the shared subnet.
Before you begin
When using Direct VPC egress, make sure your subnet has at least a few hundred IP addresses available. If the total number of instances across all your Cloud Run services grows beyond 100, we recommend having at least 4 times (4X) the total number available.
Limitations
The following limitations apply to both Cloud Run services and jobs:
- Cloud Run supports throughput of up to 1 Gbps per individual instance. Exceeding this amount results in performance throttling.
A Cloud Run usage quota limits the maximum number of instances you can configure to use Direct VPC egress. The maximum number is configured per Cloud Run revision or job execution. To increase the default limits, see how to increase quotas. You can check your quota using the Google Cloud console.
- Cloud Run services and jobs might experience connection breaks during networking infrastructure maintenance events. We recommend that you use client libraries that can handle occasional connection resets.
- Direct VPC egress for Cloud Run jobs is available in Preview only.
- To ensure proper job executions, only use Direct VPC egress for jobs that don't require more than 8 concurrent instances and be sure to reserve a minimum of 1,024 IP addresses.
The following items are not supported by Direct VPC egress:
- VPC Flow Logs doesn't provide the name of the Cloud Run service or revision.
- VPC Flow Logs are not reported from non-VM resources like Cloud Run or on-premises machines.
- Firewall Rules Logging
- Packet Mirroring
- Network Intelligence Center
- IPv6 traffic
- Private NAT
- Using network tags in ingress firewall rules applied to the destination resource.
- Using service identity as the source service account in ingress firewall rules applied to the destination resource.
- Firewall rules cannot use Resource Manager tags attached to Cloud Run workloads.
- Cloud Run jobs that run for more than 1 hour might experience
connection breaks. These can occur during
maintenance events
that migrate the job from one machine to another. The container receives a
SIGTSTP
signal 10 seconds before the event and aSIGCONT
signal after the event. After the container receives theSIGCONT
signal, retry the connection.
Set up IAM permissions
Before Cloud Run in a Shared VPC service project can access a Shared VPC network, you must first make sure the Cloud Run service agent has sufficient permissions to use the subnet.
To access the Shared VPC network, grant sufficient permissions to the Cloud Run service agent by adding one of the following roles:
Compute Network User (
compute.networkUser
) on the Shared VPC host project.For example, run the following command:
gcloud projects add-iam-policy-binding HOST_PROJECT_ID \ --member "serviceAccount:service-SERVICE_PROJECT_NUMBER@serverless-robot-prod.iam.gserviceaccount.com" \ --role "roles/compute.networkUser"
Replace the following:
- HOST_PROJECT_ID: the ID of your Shared VPC host project.
- SERVICE_PROJECT_NUMBER: the Shared VPC service project number where you deploy your Cloud Run service or job.
Compute Network Viewer (
compute.networkViewer
) on the Shared VPC host project and the Compute Network User (compute.networkUser
) role on the Shared VPC subnet.For example, to grant the Compute Network Viewer role on the subnet, run the following command:
gcloud compute networks subnets add-iam-policy-binding SUBNET_NAME \ --region REGION \ --member "serviceAccount:service-SERVICE_PROJECT_NUMBER@serverless-robot-prod.iam.gserviceaccount.com" \ --role "roles/compute.networkUser" \ --project HOST_PROJECT_ID
Replace the following:
- SUBNET_NAME: the fully qualified resource name of the subnet that you want to run your Cloud Run services.
- REGION: the region for your Cloud Run service, which must match the region of your subnet.
- SERVICE_PROJECT_NUMBER: the Shared VPC service project number where you deploy your Cloud Run service or job.
- HOST_PROJECT_ID: the ID of your Shared VPC host project.
The Cloud Run service agent requires the Cloud Run Service Agent role on your Cloud Run project. You can verify that the role was not manually removed by running the following command:
gcloud projects get-iam-policy SERVICE_PROJECT_ID \ --flatten bindings \ --filter "bindings.role:roles/run.serviceAgent"
Replace SERVICE_PROJECT_ID with the project ID of your Cloud Run service or job.
For more granular control, you can ensure that the Cloud Run service agent has the following permissions:
compute.networks.get
on the Shared VPC host projectcompute.subnetworks.get
on the host project or the specific subnetcompute.subnetworks.use
on the host project or the specific subnetcompute.addresses.get
on the Shared VPC service projectcompute.addresses.list
on the Shared VPC service projectcompute.addresses.createInternal
on the Shared VPC service projectcompute.addresses.deleteInternal
on the Shared VPC service project
IP address allocation
To place your Cloud Run service or job on a VPC network, you must specify a network and subnet. Cloud Run allocates IP addresses from your subnet.
IP addresses are ephemeral, so don't create policies based on individual IPs. If you need to create a policy based on IPs, such as in firewall rules, you must use the IP address range of the entire subnet.
To change the network or subnet that your service or job uses, deploy a new service revision or execute a new job task that uses the new network and subnet values.
Scale up
To enable fast scale up in the event of a traffic surge, Cloud Run allocates IP addresses before they're needed.
At any given time, there are likely more allocated IP addresses than the number of instances that exist. To ensure that Cloud Run can obtain enough IP addresses, make sure your subnet has at least a few hundred IP addresses available. If the subnet's total number of instances across all Cloud Run services and jobs grows beyond 100, we recommend having at least 4 times (4X) the total number available. If Cloud Run cannot allocate more IP addresses, it cannot start any more service instances or job tasks until more IP addresses become available. If your IP address space is limited, see Supported IP ranges for more options. For IP allocation efficiency and ease of management, place multiple services or jobs on the same subnet.
Scale down
Even after all services or jobs scale down to zero, Cloud Run
reserves some IP addresses from the subnet for up to 20 minutes in case services
or jobs must quickly scale up again. Each instance requires one IP address, but
Cloud Run reserves a minimum /28
subnet mask at the beginning.
Once you exhaust all 16 instances, Cloud Run creates a new
subnet.
To delete the subnet, you must first delete or redeploy your Cloud Run services or jobs to stop using the subnet, and then wait 1-2 hours.
Supported IP ranges
Cloud Run supports the following IPv4 ranges for your subnet:
- RFC 1918 (recommended)
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
- RFC 6598
100.64.0.0/10
- Class E (not recommended with on-premises setups)
240.0.0.0/4
Deploy a service
Direct VPC egress allows your Cloud Run service to send traffic to a Shared VPC network without a Serverless VPC Access connector. Network costs scale to zero just like the service itself. You can also add network tags directly on Cloud Run service revisions for more granular network security, such as applying VPC firewall rules.
You can configure Direct VPC egress with a service by using the Google Cloud console, Google Cloud CLI, or YAML.
Console
In the Google Cloud console, go to the Cloud Run page:
Click Deploy container and select Service if you are configure a new service. If you are configuring and deploying an existing service, click the service, then click Edit and deploy new revision.
If you are configuring a new service, fill out the initial service settings page as needed, then click Container(s), volumes, networking, security to expand the service configuration page.
Click the Networking tab.
Click Connect to a VPC for outbound traffic.
Click Send traffic directly to a VPC.
Select Networks shared with me.
In the Network field, select the Shared VPC network that you want to send traffic to.
In the Subnet field, select the subnet where your service receives IP addresses from.
Optional: Enter the names of the network tags that you want to associate with your service or services. Network tags are specified at the revision-level. Each service revision can have different network tags, such as
network-tag-2
.For Traffic routing, select one of the following:
- Route only requests to private IPs to the VPC to send only traffic to internal addresses through the Shared VPC network.
- Route all traffic to the VPC to send all outbound traffic through the Shared VPC network.
Click Create or Deploy.
To verify that your service is on your Shared VPC network, click the service, then click the Networking tab. The network and subnet are listed in the VPC card.
You can now send requests from your Cloud Run service to any resource on the Shared VPC network, as allowed by your firewall rules.
gcloud
To place your service on the shared subnet, specify the fully qualified resource names for the Shared VPC network and subnet by running the following command:
gcloud run deploy SERVICE_NAME \ --image IMAGE_URL \ --network projects/HOST_PROJECT_ID/global/networks/VPC_NETWORK \ --subnet projects/HOST_PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME \ --network-tags NETWORK_TAG_NAMES \ --vpc-egress=EGRESS_SETTING \ --region REGION \ --max-instances MAX
Replace the following:
- SERVICE_NAME: the name of your Cloud Run service.
- IMAGE_URL: the image URL of the service.
- HOST_PROJECT_ID: the ID of your Shared VPC project.
- VPC_NETWORK: the fully qualified resource name of your Shared VPC network.
- REGION: the region for your Cloud Run service, which must match the region of your subnet.
- SUBNET_NAME: the fully qualified resource name of your subnet.
- Optional: NETWORK_TAG_NAMES with the comma-separated names of
the network tags you
want to associate with a service. For services, network tags are specified
at the revision-level. Each service revision can have different network
tags, such as
network-tag-2
. - EGRESS_SETTING with an
egress setting value:
all-traffic
: Sends all outbound traffic through the Shared VPC network.private-ranges-only
: Sends only traffic to internal addresses through the Shared VPC network.
- MAX: the maximum number of instances to use for the Shared VPC network. The maximum number of instances allowed for services is 100.
For more details and optional arguments, see the
gcloud
reference.
YAML
If you are creating a new service, skip this step. If you are updating an existing service, download its YAML configuration:
gcloud run services describe SERVICE --format export > service.yaml
Update the following attributes:
apiVersion: serving.knative.dev/v1 kind: Service metadata: name: SERVICE_NAME labels: cloud.googleapis.com/location: REGION spec: template: metadata: annotations: run.googleapis.com/network-interfaces: '[{"network":"NETWORK","subnetwork":"SUBNET","tags":"NETWORK_TAG_NAMES"}]' run.googleapis.com/vpc-access-egress: EGRESS_SETTING spec: containers: - image: IMAGE
Replace:
- SERVICE_NAME with the name of your Cloud Run service. Service names must be 49 characters or less and must be unique per region and project.
- REGION with the region for your Cloud Run service, which must match the region of your subnet.
- NETWORK with the fully qualified resource name of your Shared VPC network.
- SUBNET_NAME with the fully qualified resource name of your subnet.
- Optional: NETWORK_TAG_NAMES with the names of the
network tags
you want to associate with a service. For services, network tags are
specified at the revision-level. Each service revision can have
different network tags, such as
network-tag-2
. - EGRESS_SETTING with an
egress setting value:
all-traffic
: Sends all outbound traffic through the Shared VPC network.private-ranges-only
: Sends only traffic to internal addresses through the Shared VPC network.
- IMAGE with the URL of your service container image.
Create or update the service using the following command:
gcloud run services replace service.yaml
Terraform
To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.
Add the following to your
main.tf
file:
Optionally, make your service public if you want to allow unauthenticated access to the service.
Create a job
Direct VPC egress allows your Cloud Run job to send traffic to a Shared VPC network without a Serverless VPC Access connector. You can also add network tags directly on Cloud Run jobs for more granular network security, such as applying VPC firewall rules.
You can configure Direct VPC egress with a job by using the Google Cloud console, Google Cloud CLI, or YAML.
Console
In the Google Cloud console, go to the Cloud Run page:
If you are configuring a new job, click Deploy container and select Job to fill out the initial Create job form as needed. If you are configuring an existing job, click the Jobs tab, select a job, then click Edit.
Click Container, Variables & Secrets, Connections, Security to expand the job properties page.
Click the Connections tab.
Click Connect to a VPC for outbound traffic.
Click Send traffic directly to a VPC.
Select Networks shared with me.
In the Network field, select the Shared VPC network that you want to send traffic to.
In the Subnet field, select the subnet where your job receives IP addresses from.
Optional: Enter the names of the network tags that you want to associate with a job. For jobs, network tags are specified at the execution-level. Each job execution can have different network tags, such as
network-tag-2
.For Traffic routing, select one of the following:
- Route only requests to private IPs to the VPC to send only traffic to internal addresses through the Shared VPC network.
- Route all traffic to the VPC to send all outbound traffic through the Shared VPC network.
Click Create or Update.
To verify that your job is on your Shared VPC network, click the job, then click the Configuration tab. The network and subnet are listed in the VPC card.
You can now execute your Cloud Run job and send requests from the job to any resource on the Shared VPC network, as allowed by your firewall rules.
gcloud
To place your job on the shared subnet, specify the fully qualified resource names for the Shared VPC network and subnet by running the following command:
gcloud run jobs create JOB_NAME \ --image IMAGE_URL \ --network projects/HOST_PROJECT_ID/global/networks/VPC_NETWORK \ --subnet projects/HOST_PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME \ --network-tags NETWORK_TAG_NAMES \ --vpc-egress=EGRESS_SETTING \ --region REGION \
Replace the following:
- JOB_NAME: the name of your Cloud Run job.
- IMAGE_URL: the image URL of the job.
- HOST_PROJECT_ID: the ID of your Shared VPC host project.
- VPC_NETWORK: the fully qualified resource name of your Shared VPC network.
- REGION: the region for your Cloud Run job, which must match the region of the subnet.
- SUBNET_NAME: the fully qualified resource name of your name of your subnet.
- Optional: NETWORK_TAG_NAMES with the comma-separated names of
the network tags you
want to associate with a job. Each job execution can have different
network tags, such as
network-tag-2
. - EGRESS_SETTING with an
egress setting value:
all-traffic
: Sends all outbound traffic through the Shared VPC network.private-ranges-only
: Sends only traffic to internal addresses through the Shared VPC network.
For more details and optional arguments, see the
gcloud
reference.
YAML
If you are creating a new job, skip this step. If you are updating an existing job, download its YAML configuration:
gcloud run jobs describe JOB_NAME --format export > job.yaml
Update the following attributes:
apiVersion: run.googleapis.com/v1 kind: Job metadata: name: JOB_NAME annotations: run.googleapis.com/launch-stage: BETA labels: cloud.googleapis.com/location: REGION spec: template: metadata: annotations: run.googleapis.com/network-interfaces: '[{"network":"NETWORK","subnetwork":"SUBNET","tags":"NETWORK_TAG_NAMES"}]' run.googleapis.com/vpc-access-egress: EGRESS_SETTING spec: containers: - image: IMAGE
Replace:
- JOB_NAME with the name of your Cloud Run job. Job names must be 49 characters or less and must be unique per region and project.
- REGION with the region for your Cloud Run job, which must match the region of your subnet.
- NETWORK with the fully qualified resource name of your Shared VPC network.
- SUBNET with the fully qualified resource name of your subnet.
- Optional: NETWORK_TAG_NAMES with the names of the
network tags
you want to associate with a job. For jobs, network tags are specified
at the execution-level. Each job execution can have different network
tags, such as
network-tag-2
. - EGRESS_SETTING with an
egress setting value:
all-traffic
: Sends all outbound traffic through the Shared VPC network.private-ranges-only
: Sends only traffic to internal addresses through the Shared VPC network.
- IMAGE with the URL of your job container image.
Create or update the job using the following command:
gcloud run jobs replace job.yaml
Disconnect a service
Console
To remove your service from the Shared VPC network:
In the Google Cloud console, go to the Cloud Run page:
Click the service you want to remove, then click Edit and deploy new revision.
Click the Networking tab.
Clear Connect to a VPC for outbound traffic.
Click Deploy.
To verify that your service is no longer on your Shared VPC network, click the Networking tab. The network and subnet are no longer listed in the VPC card.
To remove only the network tags while keeping the service connected to the Shared VPC network:
Click the service that contains the network tags you want to remove, then click Edit and deploy new revision.
Click the Networking tab.
Clear the names of the network tags that you no longer want to associate with your service.
Click Deploy.
gcloud
To remove your service from the Shared VPC network, run the following command:
gcloud run services update SERVICE_NAME --region=REGION \ --clear-network
To remove only the network tags while keeping the service connected to the Shared VPC network, run the following command:
gcloud run services update SERVICE_NAME --region=REGION \ --clear-network-tags
Replace the following:
- SERVICE_NAME: the name of your Cloud Run service.
- REGION: the region for your Cloud Run service.
YAML
To remove your service from the Shared VPC network:
Download the service's YAML configuration:
gcloud run services describe SERVICE_NAME --format export > service.yaml
Remove the following content from your
service.yaml
file:run.googleapis.com/network-interfaces: '[{"network":"NETWORK","subnetwork":"SUBNET","tags":"NETWORK_TAG_NAMES"}]'
Where
- NETWORK: the fully qualified resource name of your Shared VPC network.
- SUBNET: the fully qualified resource name of your subnet.
- Optional: NETWORK_TAG_NAMES: the names of the network tags if you had associated them with a service.
Update the service using the following command:
gcloud run services replace service.yaml
To remove only the network tags while keeping the service connected to the Shared VPC network:
Download the service's YAML configuration:
gcloud run services describe SERVICE_NAME --format export > service.yaml
Remove the
tags
variable from the content in yourservice.yaml
file, leaving thenetwork
andsubnetwork
variables in place, as shown in the following example:run.googleapis.com/network-interfaces: '[{"network":"NETWORK","subnetwork":"SUBNET"}]'
Replace the following:
- NETWORK: the fully qualified resource name of your Shared VPC network.
- SUBNET: the fully qualified resource name of your subnet.
Update the service using the following command:
gcloud run services replace service.yaml
Disconnect a job
Console
To remove your job from the Shared VPC network:
In the Google Cloud console, go to the Cloud Run page:
Click the job you want to remove, then click Edit and deploy new revision.
Click the Configuration tab.
Clear Connect to a VPC for outbound traffic.
Click Update.
To verify that your job is no longer on your Shared VPC network, click the Configuration tab. The network and subnet are no longer listed in the VPC card.
To remove only the network tags while keeping the job connected to the Shared VPC network:
Click the job that contains the network tags you want to remove, then click Edit and deploy new revision.
Click the Connections tab.
Clear the names of the network tags that you no longer want to associate with your job.
Click Update.
gcloud
To remove your job from the Shared VPC network, run the following command:
gcloud run jobs update JOB_NAME --region=REGION \ --clear-network
To remove only the network tags while keeping the job connected to the Shared VPC network, run the following command:
gcloud run jobs update JOB_NAME --region=REGION \ --clear-network-tags
Replace the following:
- JOB_NAME: the name of your Cloud Run job.
- REGION: the region for your Cloud Run job.
YAML
To remove your job from the Shared VPC network:
Download the job's YAML configuration:
gcloud run jobs describe JOB_NAME --format export > job.yaml
Remove the following content from your
job.yaml
file:run.googleapis.com/network-interfaces: '[{"network":"NETWORK","subnetwork":"SUBNET","tags":"NETWORK_TAG_NAMES"}]'
Where
- NETWORK: the fully qualified resource name of your Shared VPC network.
- SUBNET: the fully qualified resource name of your subnet.
- Optional: NETWORK_TAG_NAMES: the names of the network tags if you had associated them with a job.
Update the job using the following command:
gcloud run jobs replace job.yaml
To remove only the network tags while keeping the job connected to the Shared VPC network:
Download the job's YAML configuration:
gcloud run jobs describe JOB_NAME --format export > job.yaml
Remove the following content from your
job.yaml
file:run.googleapis.com/network-interfaces: '[{"network":"NETWORK","subnetwork":"SUBNET","tags":"NETWORK_TAG_NAMES"}]'
Where
- NETWORK: the fully qualified resource name of your Shared VPC network.
- SUBNET: the fully qualified resource name of your subnet.
- Optional: NETWORK_TAG_NAMES: the names of the network tags if you had associated them with a job.
Update the job using the following command:
gcloud run jobs replace job.yaml
Troubleshooting
Cannot delete subnet
To delete a subnet, you must first delete all resources that use it. If Cloud Run is using a subnet, you must disconnect Cloud Run from the Shared VPC network or move it to a different subnet before deleting the subnet.
Cannot detach Shared VPC network
To detach the Shared VPC network in the host project, follow the steps to Deprovision Shared VPC and be sure to disconnect any Cloud Run services or jobs from the Shared VPC network.
To see which Cloud Run resources are using the Shared VPC network, run the following command:
gcloud compute shared-vpc list-associated-resources HOST_PROJECT_ID
Replace HOST_PROJECT_ID with the ID of your Shared VPC host project.
Direct VPC subnet runs out of IP addresses
If the subnet of the Shared VPC network runs out of IP addresses, it is logged by Cloud Logging. When this occurs, Cloud Run cannot start any more service instances or job tasks until more IP addresses become available.
View allocated IP addresses
To see which IP addresses Cloud Run has allocated, go to the IP addresses page in the Google Cloud console or run the following command from the Google Cloud CLI:
gcloud compute addresses list