Restrict network ingress for Cloud Run

This page describes how to use ingress settings to restrict network access to your Cloud Run service.

At a network level, a Cloud Run service's endpoint is reachable from the following network ingress paths:

A default run.app URL, which you can disable
Any configured domain mapping
Any configured External Application Load Balancer or Internal Application Load Balancer

All network ingress paths are subject to the service's ingress setting. The default ingress paths and ingress setting allow any resource on the internet to reach your Cloud Run service. IAM authentication still applies to requests reaching the service endpoints from any of the preceding network ingress paths. For a layered approach to managing access, use both network ingress settings and IAM authentication.

Available network ingress settings

The following settings are available:

Setting Description

Internal

Setting	Description
Internal	Most restrictive. Allows requests from the following sources: Internal Application Load Balancer, including requests from Shared VPC networks when routed through the internal Application Load Balancer Resources allowed by any VPC Service Controls perimeter that contains your Cloud Run service. Cloud Run must be configured as a restricted service. VPC networks that are in the same project as your Cloud Run service Shared VPC ingress: The Shared VPC network that your revision is configured to send traffic to. For information about when Shared VPC traffic is recognized as "internal", see Special considerations for Shared VPC. The following Google Cloud products, if they're in the same project or VPC Service Controls perimeter as your Cloud Run service and if they're using the default `run.app` URL and not a custom domain: Cloud Scheduler Cloud Tasks Eventarc Pub/Sub Synthetic monitors (including uptime checks) Workflows BigQuery Internal Application Load Balancer, including requests from Shared VPC networks when routed through the internal Application Load Balancer. Requests allowed by VPC Service Controls. Requests from these sources stay within the Google network, even if they access your service at the `run.app` URL. Requests from other sources, including the internet, cannot reach your service at the `run.app` URL or custom domains. For requests from Cloud Scheduler, Cloud Tasks, Eventarc, Pub/Sub, BigQuery, and Workflows to an internal service, you must use the Cloud Run default `run.app` URL for that service. You cannot use a custom domain.
Internal and Cloud Load Balancing	This setting allows requests from the following resources: Resources allowed by the more restrictive "internal" setting External Application Load Balancer Use this setting to do the following: Accept requests from the internet through the external Application Load Balancer. Direct requests to the `run.app` URL from the internet are not allowed. Ensure that requests from the internet are subject to external Application Load Balancer features, such as Identity-Aware Proxy, Google Cloud Armor, and Cloud CDN. Note: To enable this setting in the gcloud CLI, use `internal-and-cloud-load-balancing`. To enable this setting in the Google Cloud console, select Internal > Allow traffic from external Application Load Balancers.
All	Least restrictive. Allows all requests, including requests directly from the internet to the `run.app` URL.

Most restrictive. Allows requests from the following sources:

Internal Application Load Balancer, including requests from Shared VPC networks when routed through the internal Application Load Balancer
Resources allowed by any VPC Service Controls perimeter that contains your Cloud Run service. Cloud Run must be configured as a restricted service.
VPC networks that are in the same project as your Cloud Run service
Shared VPC ingress: The Shared VPC network that your revision is configured to send traffic to. For information about when Shared VPC traffic is recognized as "internal", see Special considerations for Shared VPC.
The following Google Cloud products, if they're in the same project or VPC Service Controls perimeter as your Cloud Run service and if they're using the default run.app URL and not a custom domain:

Cloud Scheduler
Cloud Tasks
Eventarc
Pub/Sub
Synthetic monitors (including uptime checks)
Workflows
BigQuery

Internal Application Load Balancer, including requests from Shared VPC networks when routed through the internal Application Load Balancer.
Requests allowed by VPC Service Controls.

Requests from these sources stay within the Google network, even if they access your service at the run.app URL. Requests from other sources, including the internet, cannot reach your service at the run.app URL or custom domains.

For requests from Cloud Scheduler, Cloud Tasks, Eventarc, Pub/Sub, BigQuery, and Workflows to an internal service, you must use the Cloud Run default run.app URL for that service. You cannot use a custom domain.

Internal and Cloud Load Balancing

This setting allows requests from the following resources:

Resources allowed by the more restrictive "internal" setting
External Application Load Balancer

Use this setting to do the following:

Accept requests from the internet through the external Application Load Balancer. Direct requests to the run.app URL from the internet are not allowed.
Ensure that requests from the internet are subject to external Application Load Balancer features, such as Identity-Aware Proxy, Google Cloud Armor, and Cloud CDN.

Note: To enable this setting in the gcloud CLI, use internal-and-cloud-load-balancing. To enable this setting in the Google Cloud console, select Internal > Allow traffic from external Application Load Balancers.

All Least restrictive. Allows all requests, including requests directly from the internet to the run.app URL.

Access internal services

The following additional considerations apply:

When accessing internal services, call them as you would normally do using their URL, either the default run.app URL or a custom domain set up in Cloud Run.
For requests from Compute Engine VM instances, no further setup is required for machines that have external IP addresses or that use Cloud NAT. Otherwise, see Receive requests from VPC networks.
When calling from Cloud Run, App Engine, or Cloud Functions to a Cloud Run service that's set to "Internal" or "Internal and Cloud Load Balancing", traffic must route through a VPC network that's considered internal. See Receive requests from other Cloud Run services, App Engine, and Cloud Functions.
Requests from resources within VPC networks in the same project are "internal" even if the resource that they originate from has an external IP address.
Requests from on-premises resources connected to the VPC network using Cloud VPN and Cloud Interconnect are "internal."

Set ingress

You can set ingress using any of the supported methods in the tabs:

Console

Go to Cloud Run
If you are configuring a new service, click Create service and fill out the initial service settings page as desired.
If you are configuring an existing service, click the service, and then click the Networking tab.
Select the ingress traffic you want to allow:
Click Create or Save.

gcloud

If you are deploying a new service, deploy your service with the --ingress flag:
```
gcloud run deploy SERVICE --image IMAGE_URL --ingress INGRESS
```
Replace
- INGRESS with one of the available ingress settings:
  - all
  - internal
  - internal-and-cloud-load-balancing
- SERVICE with your service name
- IMAGE_URL with a reference to the container image, for example, us-docker.pkg.dev/cloudrun/container/hello:latest. If you use Artifact Registry, the repository REPO_NAME must already be created. The URL has the shape LOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG
If you are changing an existing service ingress:
```
gcloud run services update SERVICE --ingress INGRESS
```
Replace
- INGRESS with one of the available ingress settings:
  - all
  - internal
  - internal-and-cloud-load-balancing
- SERVICE with your service name

YAML

If you are creating a new service, skip this step. If you are updating an existing service, download its YAML configuration:
```
gcloud run services describe SERVICE --format export > service.yaml
```
Update the run.googleapis.com/ingress: annotation:
```
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  annotations:
    run.googleapis.com/ingress: INGRESS
  name: SERVICE
spec:
  template:
    metadata:
      name: REVISION
```
Replace
- SERVICE with the name of your Cloud Run
- INGRESS with one of the available ingress settings:
  - all
  - internal
  - internal-and-cloud-load-balancing
- REVISION with a new revision name or delete it (if present). If you supply a new revision name, it must meet the following criteria:
  - Starts with SERVICE-
  - Contains only lowercase letters, numbers and -
  - Does not end with a -
  - Does not exceed 63 characters
Replace the service with its new configuration using the following command:
```
gcloud run services replace service.yaml
```

Terraform

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

Add the following to your main.tf file:

resource "google_cloud_run_v2_service" "default" {
  provider = google-beta
  name     = "ingress-service"
  location = "us-central1"

  # For valid annotation values and descriptions, see
  # https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_v2_service#ingress
  ingress = "INGRESS_TRAFFIC_INTERNAL_ONLY"

  template {
    containers {
      image = "us-docker.pkg.dev/cloudrun/container/hello" #public image for your service
    }
  }
}

Disable the default URL

Disable the default run.app URL of a Cloud Run service to only allow traffic from the service's other ingress paths: Cloud Load Balancing and any configured domain mapping.

Command line

To disable the run.app URL for a service, run the gcloud beta run deploy or gcloud beta run services update command with the --no-default-url flag:
```
gcloud beta run deploy SERVICE_NAME --no-default-url
```
where SERVICE_NAME is the name of your Cloud Run service.

In the output, the URL displays as None.

To restore the default URL, use the --default-url flag.

YAML

If you are creating a new service, skip this step. If you are updating an existing service, download its YAML configuration:
```
gcloud run services describe SERVICE --format export > service.yaml
```
To disable the run.app URL, use the run.googleapis.com/default-url-disabled annotation:
```
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  annotations:
    run.googleapis.com/default-url-disabled: true
    run.googleapis.com/launch-stage: BETA
  name: SERVICE
spec:
  template:
    metadata:
      name: REVISION
```
Replace
- SERVICE with the name of your Cloud Run service.
- REVISION with a new revision name or delete it (if present). If you supply a new revision name, it must meet the following criteria:
  - Starts with SERVICE-
  - Contains only lowercase letters, numbers and -
  - Does not end with a -
  - Does not exceed 63 characters
Create or update the service using the following command:
```
gcloud run services replace service.yaml
```

To restore the default URL, remove the run.googleapis.com/default-url-disabled annotation.

The following Google Cloud services are using the default run.app URL to invoke Cloud Run. Disabling the default run.app URL prevents these services from working as expected:

What's next

Learn about egress settings.
Set up an internal Application Load Balancer for Cloud Run.
Set up an external Application Load Balancer with Cloud Run.
Configure IAM authentication methods for accessing services.