Restricting ingress for Cloud Run

Stay organized with collections Save and categorize content based on your preferences.

This page describes how to use ingress settings to restrict network access to your Cloud Run service. At a network level, by default, any resource on the internet is able to reach your Cloud Run service on its run.app URL or at a custom domain set up in Cloud Run. You can change this default by specifying a different setting for ingress. All ingress paths, including the default run.app URL, are subject to your ingress setting. Ingress is set at the service level.

Ingress settings and IAM authentication methods are two ways of managing access to a service. They are independent of each other. For a layered approach to managing access, use both.

Available ingress settings

The following settings are available:

Setting Description
Internal Most restrictive. Allows requests from the following sources:
  • Internal HTTP(S) load balancer, including requests from Shared VPC networks when routed through the internal HTTP(S) load balancer
  • Resources allowed by any VPC Service Controls perimeter that contains your Cloud Run service
  • VPC networks that are in the same project or VPC Service Controls perimeter as your Cloud Run service
  • The following Google Cloud products, if they are in the same project or VPC Service Controls perimeter as your Cloud Run service:
    • Cloud Tasks
    • Eventarc
    • Pub/Sub
    • Workflows
Requests from these sources stay within the Google network, even if they access your service at the run.app URL. Requests from other sources, including the internet, cannot reach your service at the run.app URL or custom domains.

There is no support for multi-tenancy, that is, multiple trust domains within the same project.
Internal and Cloud Load Balancing Allows requests from the following resources:
  • Resources allowed by the more restrictive Internal setting
  • External HTTP(S) load balancer
Use the Internal and Cloud Load Balancing setting to:
  • Accept requests from an external HTTP(S) load balancer but not directly from the internet. Requests to the run.app URL bypass External HTTP(S) load balancer, so this setting prevents external requests from reaching the run.app URL.
  • Ensure that requests from the internet are subject to External HTTP(S) load balancer features (such as Identity-Aware Proxy, Google Cloud Armor, and Cloud CDN).
All Least restrictive. Allows all requests, including requests directly from the internet to the run.app URL.

Accessing internal services

The following considerations apply:

  • When accessing internal services, call them as you would normally do using their public URLs, either the default run.app URL or a custom domain set up in Cloud Run.

  • For requests from Compute Engine VM instances or other resources running inside a VPC network in the same project, no further setup is required.

  • For requests from other Cloud Run services or from Cloud Functions in the same project, connect the service or function to a VPC network and route all egress through the connector, as described in Connecting to a VPC network. Note that the IAM invoker permission is still enforced.

  • Requests from resources within VPC networks in the same project are classified as internal even if the resource they originate from has a public IP address.

  • Requests from resources within a VPC Service Controls perimeter whose traffic originates from a VPC network can call an internal service, if the Cloud Run Admin API is configured as a restricted service in the service perimeter.

  • Resources in Shared VPC networks can only call internal services if the Shared VPC resources and the internal service are in the same VPC SC perimeter and the Cloud Run Admin API is configured as a restricted service in the service perimeter.

  • Requests from on-prem resources connected to the VPC network via Cloud VPN are considered internal.

  • For requests from Cloud Tasks, Eventarc, Pub/Sub, and Workflows to an internal service, the following considerations apply:

    • You must use the Cloud Run default run.app URL for that service, not any custom domain.
    • The task, Pub/Sub subscription, event, or workflow must be in the same project or VPC Service Controls perimeter as the Cloud Run service.
  • You can call internal services from traffic sources outside of the VPC network by using Cloud Tasks, Pub/Sub, Eventarc, or Workflows from within the same project or VPC Service Controls perimeter.

Setting ingress

You can set ingress using any of the supported methods in the tabs:

Console

If deploying a new service:

  1. Go to Cloud Run

  2. Click Create Service and configure the first step (Service settings) as desired, then click Next

  3. Configure the second step (Configuring the service's first revision) as desired, then click Next.

  4. In the third step, Configure how this service is triggered, under the Ingress* label, select the ingress traffic you want to allow:

    image

If you are configuring an existing service:

  1. Click on the service.

  2. Click the Triggers tab.

  3. Under the Ingress label, select the ingress traffic you want to allow:

    image

  4. Click Save.

Command line

  1. If you are deploying a new service, deploy your service with the --ingress flag:

    gcloud run deploy SERVICE --image IMAGE_URL --platform managed --ingress INGRESS

    Replace

    • INGRESS with one of the available ingress settings
      • all
      • internal
      • internal-and-cloud-load-balancing
    • SERVICE with your service name.
    • IMAGE_URL with a reference to the container image, for example, us-docker.pkg.dev/cloudrun/container/hello:latest
  2. If you are changing an existing service ingress:

    gcloud run services update SERVICE --platform managed --ingress INGRESS

    Replace

    • INGRESS with one of the available ingress settings
      • all
      • internal
      • internal-and-cloud-load-balancing
    • SERVICE with your service name.

YAML

You can download and view existing service configuration using the gcloud run services describe --format export command, which yields cleaned results in YAML format. You can then modify the fields described below and upload the modified YAML using the gcloud run services replace command. Make sure you only modify fields as documented.

  1. To view and download the configuration:

    gcloud run services describe SERVICE --format export > service.yaml
  2. Update the run.googleapis.com/ingress: annotation:

    apiVersion: serving.knative.dev/v1
    kind: Service
    metadata:
      annotations:
        run.googleapis.com/ingress: INGRESS
      name: SERVICE
    spec:
      template:
        metadata:
          name: REVISION

    Replace

    • SERVICE with the name of your Cloud Run
    • INGRESS with one of the available ingress settings
      • all
      • internal
      • internal-and-cloud-load-balancing
    • REVISION with a new revision name or delete it (if present). If you supply a new revision name, it must meet the following criteria:
      • Starts with SERVICE-
      • Contains only lowercase letters, numbers and -
      • Does not end with a -
      • Does not exceed 63 characters
  3. Replace the service with its new configuration using the following command:

    gcloud run services replace service.yaml

Terraform

Add the following to your main.tf file:

resource "google_cloud_run_service" "default" {
  provider = google-beta
  name     = "ingress-service"
  location = "us-central1"

  template {
    spec {
      containers {
        image = "gcr.io/cloudrun/hello" #public image for your service
      }
    }
  }
  traffic {
    percent         = 100
    latest_revision = true
  }
  metadata {
    annotations = {
      # For valid annotation values and descriptions, see
      # https://cloud.google.com/sdk/gcloud/reference/run/deploy#--ingress
      "run.googleapis.com/ingress" = "internal"
    }
  }
}

To apply these resources to your project:

  1. Initialize Terraform:

    terraform init
  2. View the Terraform configuration to be applied to your project:

    terraform plan
  3. Apply the Terraform configuration:

    terraform apply

    When prompted to confirm, respond by entering yes. Open your Google Cloud project to view the results.

To remove resources previously applied with Terraform:

terraform destroy

When prompted to confirm, respond by entering yes.

What's next