This page describes how to use ingress settings to restrict network access to
your Cloud Run service. At a network level, by default, any
resource on the internet is able to reach your Cloud Run
service on its default run.app
URL or at a custom domain set up in Cloud Run.
All ingress paths, including the default run.app
URL, are subject to your
ingress setting. Ingress is set at the service level.
You can change these defaults by specifying a different ingress setting
or by disabling the run.app
URL.
Ingress settings and IAM authentication methods are two ways of managing access to a service. They are independent of each other. For a layered approach to managing access, use both.
Available ingress settings
The following settings are available:
Setting | Description |
---|---|
Internal |
Most restrictive. Allows requests from the following sources:
Requests from these sources stay within the Google network, even if they access your service at the run.app URL. Requests
from other sources, including the internet, cannot reach your service at
the run.app URL or custom domains.For requests from Cloud Scheduler, Cloud Tasks, Eventarc, Pub/Sub, BigQuery, and Workflows to an internal service, you must use the Cloud Run default run.app
URL for that service. You cannot use a custom domain.
|
Internal and Cloud Load Balancing | This setting allows requests from the following resources:
Note: To enable this setting in the gcloud CLI, use internal-and-cloud-load-balancing .
To enable this setting in the Google Cloud console, select
Internal > Allow traffic from external Application Load Balancers.
|
All |
Least restrictive. Allows all requests, including requests directly from
the internet to the run.app URL.
|
Access internal services
The following additional considerations apply:
When accessing internal services, call them as you would normally do using their public URLs, either the default
run.app
URL or a custom domain set up in Cloud Run.For requests from Compute Engine VM instances, no further setup is required for machines that have external IP addresses or that use Cloud NAT. Otherwise, see Receive requests from VPC networks.
When calling from Cloud Run, App Engine, or Cloud Functions to a Cloud Run service that's set to "Internal" or "Internal and Cloud Load Balancing", traffic must route through a VPC network that's considered internal. See Receive requests from other Cloud Run services, App Engine, and Cloud Functions.
Requests from resources within VPC networks in the same project are "internal" even if the resource that they originate from has an external IP address.
Requests from on-premises resources connected to the VPC network using Cloud VPN and Cloud Interconnect are "internal."
Set ingress
You can set ingress using any of the supported methods in the tabs:
Console
If you are configuring a new service, click Create service and fill out the initial service settings page as desired.
If you are configuring an existing service, click the service, and then click the Networking tab.
Select the ingress traffic you want to allow:
Click Create or Save.
gcloud
If you are deploying a new service, deploy your service with the
--ingress
flag:gcloud run deploy SERVICE --image IMAGE_URL --ingress INGRESS
Replace
INGRESS
with one of the available ingress settings:all
internal
internal-and-cloud-load-balancing
SERVICE
with your service name- IMAGE_URL with a reference to the container image, for
example,
us-docker.pkg.dev/cloudrun/container/hello:latest
. If you use Artifact Registry, the repository REPO_NAME must already be created. The URL has the shapeLOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG
If you are changing an existing service ingress:
gcloud run services update SERVICE --ingress INGRESS
Replace
INGRESS
with one of the available ingress settings:all
internal
internal-and-cloud-load-balancing
SERVICE
with your service name
YAML
If you are creating a new service, skip this step. If you are updating an existing service, download its YAML configuration:
gcloud run services describe SERVICE --format export > service.yaml
Update the
run.googleapis.com/ingress:
annotation:apiVersion: serving.knative.dev/v1 kind: Service metadata: annotations: run.googleapis.com/ingress: INGRESS name: SERVICE spec: template: metadata: name: REVISION
Replace
- SERVICE with the name of your Cloud Run
- INGRESS with one of the
available ingress settings:
all
internal
internal-and-cloud-load-balancing
- REVISION with a new revision name or delete it (if present). If you supply a new revision name, it must meet the following criteria:
- Starts with
SERVICE-
- Contains only lowercase letters, numbers and
-
- Does not end with a
-
- Does not exceed 63 characters
- Starts with
Replace the service with its new configuration using the following command:
gcloud run services replace service.yaml
Terraform
To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.
Add the following to your main.tf
file:
Disable the default URL
Disable the default run.app
URL for your Cloud Run
services to prevent access to any service except through Cloud Load Balancing
that you manage. This subjects all inbound traffic to security policies that you
configure on load balancers.
Disabling the run.app
URL prevents the following Google Cloud services
from invoking Cloud Run services:
- BigQuery remote functions
- Cloud Scheduler
- Cloud Service Mesh
- Cloud Tasks
- Eventarc
- Firebase App Hosting
- Firebase Hosting
- Pub/Sub
- Synthetic monitors and uptime checks
Command line
To disable the
run.app
URL for a service, run thegcloud beta run deploy
command with the--no-default-url
flag:gcloud beta run deploy SERVICE_NAME --no-default-url
where SERVICE_NAME is the name of your Cloud Run service.
In the output, the URL displays as None
.
YAML
If you are creating a new service, skip this step. If you are updating an existing service, download its YAML configuration:
gcloud run services describe SERVICE --format export > service.yaml
To disable the
run.app
URL, deploy your service with thedefault-url-disabled:
annotation:apiVersion: serving.knative.dev/v1 kind: Service metadata: annotations: run.googleapis.com/default-url-disabled: true run.googleapis.com/launch-stage: BETA name: SERVICE spec: template: metadata: name: REVISION
Replace
- SERVICE with the name of your Cloud Run service.
- REVISION with a new revision name or delete it (if present). If you supply a new revision name, it must meet the following criteria:
- Starts with
SERVICE-
- Contains only lowercase letters, numbers and
-
- Does not end with a
-
- Does not exceed 63 characters
- Starts with
Replace the service with its new configuration using the following command:
gcloud run services replace service.yaml
What's next
- Learn about egress settings
- Set up an internal Application Load Balancer for Cloud Run.
- Set up an external Application Load Balancer with Cloud Run.
- Configure IAM authentication methods for accessing services.