Restricting ingress for Cloud Run

This page describes how to use ingress settings to restrict network access to your Cloud Run service. At a network level, by default, any resource on the internet is able to reach your Cloud Run service on its run.app URL or at a custom domain set up in Cloud Run. You can change this default by specifying a different setting for ingress. All ingress paths, including the default run.app URL, are subject to your ingress setting. Ingress is set at the service level.

Ingress settings and IAM authentication methods are two ways of managing access to a service. They are independent of each other. For a layered approach to managing access, use both.

Available ingress settings

The following settings are available:

Setting Description

Internal

Setting	Description
Internal	Most restrictive. Allows requests from the following sources: Internal HTTP(S) load balancer, including requests from Shared VPC networks when routed through the internal HTTP(S) load balancer Resources allowed by any VPC Service Controls perimeter that contains your Cloud Run service VPC networks that are in the same project or VPC Service Controls perimeter as your Cloud Run service The following Google Cloud products, if they are in the same project or VPC Service Controls perimeter as your Cloud Run service: Cloud Tasks Eventarc Pub/Sub Workflows Requests from these sources stay within the Google network, even if they access your service at the `run.app` URL. Requests from other sources, including the internet, cannot reach your service at the `run.app` URL or custom domains. There is no support for multi-tenancy, that is, multiple trust domains within the same project.
Internal and Cloud Load Balancing	Allows requests from the following resources: Resources allowed by the more restrictive Internal setting External HTTP(S) load balancer Use the Internal and Cloud Load Balancing setting to: Accept requests from an external HTTP(S) load balancer but not directly from the internet. Requests to the `run.app` URL bypass External HTTP(S) load balancer, so this setting prevents external requests from reaching the `run.app` URL. Ensure that requests from the internet are subject to External HTTP(S) load balancer features (such as Identity-Aware Proxy, Google Cloud Armor, and Cloud CDN).
All	Least restrictive. Allows all requests, including requests directly from the internet to the `run.app` URL.

Most restrictive. Allows requests from the following sources:

Internal HTTP(S) load balancer, including requests from Shared VPC networks when routed through the internal HTTP(S) load balancer
Resources allowed by any VPC Service Controls perimeter that contains your Cloud Run service
VPC networks that are in the same project or VPC Service Controls perimeter as your Cloud Run service
The following Google Cloud products, if they are in the same project or VPC Service Controls perimeter as your Cloud Run service:

Cloud Tasks
Eventarc
Pub/Sub
Workflows

Requests from these sources stay within the Google network, even if they access your service at the run.app URL. Requests from other sources, including the internet, cannot reach your service at the run.app URL or custom domains.

There is no support for multi-tenancy, that is, multiple trust domains within the same project.

Internal and Cloud Load Balancing

Allows requests from the following resources:

Resources allowed by the more restrictive Internal setting
External HTTP(S) load balancer

Use the Internal and Cloud Load Balancing setting to:

Accept requests from an external HTTP(S) load balancer but not directly from the internet. Requests to the run.app URL bypass External HTTP(S) load balancer, so this setting prevents external requests from reaching the run.app URL.
Ensure that requests from the internet are subject to External HTTP(S) load balancer features (such as Identity-Aware Proxy, Google Cloud Armor, and Cloud CDN).

All Least restrictive. Allows all requests, including requests directly from the internet to the run.app URL.

Accessing internal services

The following additional considerations apply:

When accessing internal services, call them as you would normally do using their public URLs, either the default run.app URL or a custom domain set up in Cloud Run.
For requests from Compute Engine VM instances, no further setup is required for machines that have public IP addresses or that use Cloud NAT. Otherwise, see Receive requests from VPC networks.
For requests from other Cloud Run services or from Cloud Functions in the same project, connect the service or function to a VPC network and route all egress through the connector, as described in Connecting to a VPC network. Note that the IAM invoker permission is still enforced.
Requests from resources within VPC networks in the same project are classified as internal even if the resource they originate from has a public IP address.
Requests from resources within a VPC Service Controls perimeter whose traffic originates from a VPC network can call an internal service, if the Cloud Run Admin API is configured as a restricted service in the service perimeter.
Shared VPC traffic is only recognized as "internal" when one or more of the following situations apply:
- The Cloud Run service is running in the Shared VPC host project.
- You are using an internal HTTP(S) load balancer to proxy traffic.
- The Shared VPC host and all service projects are inside the same VPC Service Controls perimeter.
For more information, see Special considerations for Shared VPC.
For on-premises resources that are connected to a VPC network using Cloud VPN or CDN Interconnect, requests from those on-premises resources that are routed through the VPC are considered internal if other traffic from that VPC network is also internal. For setup instructions, see Receive requests from on-prem or other Clouds.
For requests from Cloud Tasks, Eventarc, Pub/Sub, and Workflows to an internal service, the following considerations apply:
- You must use the Cloud Run default run.app URL for that service, not any custom domain.
- The task, Pub/Sub subscription, event, or workflow must be in the same project or VPC Service Controls perimeter as the Cloud Run service.
You can call internal services from traffic sources outside of the VPC network by using Cloud Tasks, Pub/Sub, Eventarc, or Workflows from within the same project or VPC Service Controls perimeter.

Setting ingress

You can set ingress using any of the supported methods in the tabs:

Console

If deploying a new service:

Go to Cloud Run
Click Create Service and configure the first step (Service settings) as desired, then click Next
Configure the second step (Configuring the service's first revision) as desired, then click Next.
In the third step, Configure how this service is triggered, under the Ingress* label, select the ingress traffic you want to allow:

If you are configuring an existing service:

Click on the service.
Click the Triggers tab.
Under the Ingress label, select the ingress traffic you want to allow:
Click Save.

Command line

If you are deploying a new service, deploy your service with the --ingress flag:
```
gcloud run deploy SERVICE --image IMAGE_URL --platform managed --ingress INGRESS
```
Replace
- INGRESS with one of the available ingress settings
  - all
  - internal
  - internal-and-cloud-load-balancing
- SERVICE with your service name.
- IMAGE_URL with a reference to the container image, for example, us-docker.pkg.dev/cloudrun/container/hello:latest
If you are changing an existing service ingress:
```
gcloud run services update SERVICE --platform managed --ingress INGRESS
```
Replace
- INGRESS with one of the available ingress settings
  - all
  - internal
  - internal-and-cloud-load-balancing
- SERVICE with your service name.

YAML

You can download and view existing service configurations using the gcloud run services describe --format export command, which yields cleaned results in YAML format. You can then modify the fields described below and upload the modified YAML using the gcloud run services replace command. Make sure you only modify fields as documented.

To view and download the configuration:

gcloud run services describe SERVICE --format export > service.yaml

Update the run.googleapis.com/ingress: annotation:
```
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  annotations:
    run.googleapis.com/ingress: INGRESS
  name: SERVICE
spec:
  template:
    metadata:
      name: REVISION
```
Replace
- SERVICE with the name of your Cloud Run
- INGRESS with one of the available ingress settings
  - all
  - internal
  - internal-and-cloud-load-balancing
- REVISION with a new revision name or delete it (if present). If you supply a new revision name, it must meet the following criteria:
  - Starts with SERVICE-
  - Contains only lowercase letters, numbers and -
  - Does not end with a -
  - Does not exceed 63 characters
Replace the service with its new configuration using the following command:
```
gcloud run services replace service.yaml
```

Terraform

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

Add the following to your main.tf file:

run/ingress/main.tf

View on GitHub Feedback

resource "google_cloud_run_service" "default" {
  provider = google-beta
  name     = "ingress-service"
  location = "us-central1"

  template {
    spec {
      containers {
        image = "gcr.io/cloudrun/hello" #public image for your service
      }
    }
  }
  traffic {
    percent         = 100
    latest_revision = true
  }
  metadata {
    annotations = {
      # For valid annotation values and descriptions, see
      # https://cloud.google.com/sdk/gcloud/reference/run/deploy#--ingress
      "run.googleapis.com/ingress" = "internal"
    }
  }

  lifecycle {
    ignore_changes = [
      metadata[0].annotations,
    ]
  }
}

What's next

Learn about egress settings
Set up Internal HTTP(S) load balancer for Cloud Run
Set up External HTTP(S) load balancer with Cloud Run
Configure IAM authentication methods for accessing services