Restricting ingress for Cloud Run

Stay organized with collections Save and categorize content based on your preferences.

This page describes how to use ingress settings to restrict network access to your Cloud Run service. At a network level, by default, any resource on the internet is able to reach your Cloud Run service on its URL or at a custom domain set up in Cloud Run. You can change this default by specifying a different setting for ingress. All ingress paths, including the default URL, are subject to your ingress setting. Ingress is set at the service level.

Ingress settings and IAM authentication methods are two ways of managing access to a service. They are independent of each other. For a layered approach to managing access, use both.

Available ingress settings

The following settings are available:

Setting Description
Internal Most restrictive. Allows requests from the following sources:
  • Internal HTTP(S) load balancer, including requests from Shared VPC networks when routed through the internal HTTP(S) load balancer
  • Resources allowed by any VPC Service Controls perimeter that contains your Cloud Run service
  • VPC networks that are in the same project or VPC Service Controls perimeter as your Cloud Run service
  • The following Google Cloud products, if they are in the same project or VPC Service Controls perimeter as your Cloud Run service:
    • Cloud Tasks
    • Eventarc
    • Pub/Sub
    • Workflows
Requests from these sources stay within the Google network, even if they access your service at the URL. Requests from other sources, including the internet, cannot reach your service at the URL or custom domains.

There is no support for multi-tenancy, that is, multiple trust domains within the same project.
Internal and Cloud Load Balancing Allows requests from the following resources:
  • Resources allowed by the more restrictive Internal setting
  • External HTTP(S) load balancer
Use the Internal and Cloud Load Balancing setting to:
  • Accept requests from an external HTTP(S) load balancer but not directly from the internet. Requests to the URL bypass External HTTP(S) load balancer, so this setting prevents external requests from reaching the URL.
  • Ensure that requests from the internet are subject to External HTTP(S) load balancer features (such as Identity-Aware Proxy, Google Cloud Armor, and Cloud CDN).
All Least restrictive. Allows all requests, including requests directly from the internet to the URL.

Accessing internal services

The following additional considerations apply:

  • When accessing internal services, call them as you would normally do using their public URLs, either the default URL or a custom domain set up in Cloud Run.

  • For requests from Compute Engine VM instances, no further setup is required for machines that have public IP addresses or that use Cloud NAT. Otherwise, see Receive requests from VPC networks.

  • For requests from other Cloud Run services or from Cloud Functions in the same project, connect the service or function to a VPC network and route all egress through the connector, as described in Connecting to a VPC network. Note that the IAM invoker permission is still enforced.

  • Requests from resources within VPC networks in the same project are classified as internal even if the resource they originate from has a public IP address.

  • Requests from resources within a VPC Service Controls perimeter whose traffic originates from a VPC network can call an internal service, if the Cloud Run Admin API is configured as a restricted service in the service perimeter.

  • Shared VPC traffic is only recognized as "internal" when one or more of the following situations apply:

    • The Cloud Run service is running in the Shared VPC host project.
    • You are using an internal HTTP(S) load balancer to proxy traffic.
    • The Shared VPC host and all service projects are inside the same VPC Service Controls perimeter.

    For more information, see Special considerations for Shared VPC.

  • For on-premises resources that are connected to a VPC network using Cloud VPN or CDN Interconnect, requests from those on-premises resources that are routed through the VPC are considered internal if other traffic from that VPC network is also internal. For setup instructions, see Receive requests from on-prem or other Clouds.

  • For requests from Cloud Tasks, Eventarc, Pub/Sub, and Workflows to an internal service, the following considerations apply:

    • You must use the Cloud Run default URL for that service, not any custom domain.
    • The task, Pub/Sub subscription, event, or workflow must be in the same project or VPC Service Controls perimeter as the Cloud Run service.
  • You can call internal services from traffic sources outside of the VPC network by using Cloud Tasks, Pub/Sub, Eventarc, or Workflows from within the same project or VPC Service Controls perimeter.

Setting ingress

You can set ingress using any of the supported methods in the tabs:


If deploying a new service:

  1. Go to Cloud Run

  2. Click Create Service and configure the first step (Service settings) as desired, then click Next

  3. Configure the second step (Configuring the service's first revision) as desired, then click Next.

  4. In the third step, Configure how this service is triggered, under the Ingress* label, select the ingress traffic you want to allow:


If you are configuring an existing service:

  1. Click on the service.

  2. Click the Triggers tab.

  3. Under the Ingress label, select the ingress traffic you want to allow:


  4. Click Save.

Command line

  1. If you are deploying a new service, deploy your service with the --ingress flag:

    gcloud run deploy SERVICE --image IMAGE_URL --platform managed --ingress INGRESS


    • INGRESS with one of the available ingress settings
      • all
      • internal
      • internal-and-cloud-load-balancing
    • SERVICE with your service name.
    • IMAGE_URL with a reference to the container image, for example,
  2. If you are changing an existing service ingress:

    gcloud run services update SERVICE --platform managed --ingress INGRESS


    • INGRESS with one of the available ingress settings
      • all
      • internal
      • internal-and-cloud-load-balancing
    • SERVICE with your service name.


You can download and view existing service configurations using the gcloud run services describe --format export command, which yields cleaned results in YAML format. You can then modify the fields described below and upload the modified YAML using the gcloud run services replace command. Make sure you only modify fields as documented.

  1. To view and download the configuration:

    gcloud run services describe SERVICE --format export > service.yaml
  2. Update the annotation:

    kind: Service
      annotations: INGRESS
      name: SERVICE
          name: REVISION


    • SERVICE with the name of your Cloud Run
    • INGRESS with one of the available ingress settings
      • all
      • internal
      • internal-and-cloud-load-balancing
    • REVISION with a new revision name or delete it (if present). If you supply a new revision name, it must meet the following criteria:
      • Starts with SERVICE-
      • Contains only lowercase letters, numbers and -
      • Does not end with a -
      • Does not exceed 63 characters
  3. Replace the service with its new configuration using the following command:

    gcloud run services replace service.yaml


To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

Add the following to your file:

resource "google_cloud_run_service" "default" {
  provider = google-beta
  name     = "ingress-service"
  location = "us-central1"

  template {
    spec {
      containers {
        image = "" #public image for your service
  traffic {
    percent         = 100
    latest_revision = true
  metadata {
    annotations = {
      # For valid annotation values and descriptions, see
      "" = "internal"

  lifecycle {
    ignore_changes = [

What's next