Restricting ingress for Cloud Run (fully managed)

This page describes how to use ingress settings to restrict network access to your Cloud Run service. At a network level, by default, any resource on the internet is able to reach your Cloud Run (fully managed) service on its run.app URL or at a custom domain set up in Cloud Run. You can change this default by specifying a different setting for ingress.

Note that you can use this feature along with IAM authentication methods to manage access to a service.

Available ingress settings

The following settings are available:

Setting Description
all Makes your service accessible to the public internet. The IAM invoker permission is still enforced.
internal Make your service private, which allows only requests from within the same project or VPC Service Controls perimeter to reach your service. The IAM invoker permission is still enforced.

For a description of what is considered internal or is able to access internal services, see Accessing internal services.

There is no support for multi-tenancy, that is, multiple trust domains within the same project.
internal and Cloud load balancing Makes your service accessible to the public internet, but only accepts internal requests and requests coming through HTTP(S) Load Balancing. The IAM invoker permission is still enforced.

If you use Identity-Aware Proxy, Google Cloud Armor, or Cloud CDN, this also prevents any bypassing of these by accessing the default URL.

Accessing internal services

The following considerations apply:

  • When accessing internal services, call them as you would normally do using their public URLs, either the default run.app URL or a custom domain set up in Cloud Run.

  • For requests from Compute Engine VM instances or other resources running inside a VPC network in the same project, no further setup is required.

  • For requests from other Cloud Run services or from Cloud Functions in the same project, connect the service or function to a VPC network and route all egress through the connector, as described in Connecting to a VPC network. Note that the IAM invoker permission is still enforced.

  • Requests from resources within VPC networks in the same project are classified as internal even if the resource they originate from has a public IP address.

  • Requests from resources within a VPC Service Controls perimeter whose traffic originates from a VPC network can call an internal service, if the Cloud Run API is enabled as a VPC accessible service.

  • Resources in Shared VPC networks can only call internal services if the Shared VPC resources and the internal service are in the same VPC SC perimeter and the Cloud Run API is enabled as a VPC accessible service

  • Requests from Pub/Sub and Eventarc can call an internal service.

  • There is no way to call internal services from traffic sources that don't originate from a VPC network, except for Pub/Sub or Eventarc. This means that Cloud Scheduler, Cloud Tasks and Workflows cannot call internal services.

  • If you use ingress with Pub/Sub or Eventarc with Pub/Sub triggers, the following considerations apply:

    • If using ingress settings on a Cloud Run service that is called by Pub/Sub, you must use the Cloud Run default app.run URL for that service, not any custom domain.
    • The Pub/Sub subscription must be in the same project or VPC Service Controls perimeter as the Cloud Run service.

Internal versus internal and Cloud loadbalancing

Services with ingress set to internal and cloud load balancing can also be accessed through load balancers set up through Cloud Load Balancing. The internal and cloud load balancing setting is a superset of internal. That is, anything that can reach a service that is set to internal can reach a service set to internal and cloud load balancing.

Setting ingress

You can set ingress using any of the supported methods in the tabs below:

Console

If deploying a new service:

  1. Go to Cloud Run

  2. Click Create Service and configure the first step (Service settings) as desired, then click Next

  3. Configure the second step (Configuring the service's first revision) as desired, then click Next.

  4. In the third step, Configure how this service is triggered, under the Ingress* label, select the ingress traffic you want to allow:

    image

If you are configuring an existing service:

  1. Click on the service.

  2. Click the Triggers tab.

  3. Under the Ingress label, select the ingress traffic you want to allow:

    image

  4. Click Save.

Command line

  1. If you are deploying a new service, deploy your service with the --ingress flag:

    gcloud run deploy SERVICE --image IMAGE_URL --platform managed --ingress INGRESS

    Replace

    • INGRESS with one of the available ingress settings
      • all
      • internal
      • internal-and-cloud-load-balancing
    • SERVICE with your service name.
    • IMAGE_URL with a reference to the container image, for example, gcr.io/myproject/my-image:latest
  2. If you are changing an existing service ingress:

    gcloud run services update SERVICE --platform managed --ingress INGRESS

    Replace

    • INGRESS with one of the available ingress settings
      • all
      • internal
      • internal-and-cloud-load-balancing
    • SERVICE with your service name.

YAML

You can download and view existing service configuration using the gcloud run services describe --format export command, which yields cleaned results in YAML format. You can then modify the fields described below and upload the modified YAML using the gcloud beta run services replace command. Make sure you only modify fields as documented.

  1. To view and download the configuration:

    gcloud run services describe SERVICE --format export > service.yaml
  2. Update the run.googleapis.com/ingress: annotation:

    apiVersion: serving.knative.dev/v1
    kind: Service
    metadata:
      annotations:
        run.googleapis.com/ingress: INGRESS

    Replace

  3. Replace the service with its new configuration using the following command:

    gcloud beta run services replace service.yaml

What's next

You can use Serverless VPC Access to connect a Cloud Run (fully managed) service directly to your VPC network using egress settings.

You can also use HTTP(S) Load Balancing with Cloud Run (fully managed)