Configure Serverless VPC Access
You can use a Serverless VPC Access connector to connect your serverless environment directly to your Virtual Private Cloud (VPC) network, allowing access to Compute Engine virtual machine (VM) instances, Memorystore instances, and any other resources with an internal IP address.
Before you begin
If you don't already have a VPC network in your project, create one.
If you use Shared VPC, see the documentation that specifically covers configuration of Serverless VPC Access for your product.
- Cloud Run: Connecting to a Shared VPC network
- Cloud Functions: Connecting to a Shared VPC network
- App Engine: Connecting to a Shared VPC network
If you have an organizational policy constraint that prevents the use of Cloud Deployment Manager, you won't be able to create or delete Serverless VPC Access connectors. Creating or deleting a connector requires Deployment Manager functionality.
Create a Serverless VPC Access connector
To send requests to your VPC network and receive the corresponding responses without using the public internet, you must use a Serverless VPC Access connector.
You can create a connector by using the Google Cloud console, Google Cloud CLI, or Terraform.
You can also create a connector for your resource directly from the Create form in the Google Cloud console as described in the Configure section (Preview).
Console
Go to the Serverless VPC Access overview page.
Click Create connector.
In the Name field, enter a name for your connector. This must be in accordance with the Compute Engine naming convention, with the additional restriction that it be less than 21 characters with hyphens (-) counting as two characters.
In the Region field, select a region for your connector. This must match the region of your serverless service.
If your service or job is in the region
us-central
oreurope-west
, useus-central1
oreurope-west1
.In the Network field, select the VPC network to attach your connector to.
Click the Subnet menu. Every connector requires its own
/28
subnet to place connector instances on. A subnet cannot be used by other resources such as VMs, Private Service Connect, or load balancers.If you are using Shared VPC, which requires you to use your own subnet, select an unused
/28
subnet. To confirm that your subnet is not used for Private Service Connect or Cloud Load Balancing, check that the subnetpurpose
isPRIVATE
by running the following command in the gcloud CLI:gcloud compute networks subnets describe SUBNET_NAME
Replace:- SUBNET_NAME: the name of your subnet
If you are not using Shared VPC, create a subnet for the connector or have the connector create a subnet by selecting Custom IP range from the menu.
In the IP range field, enter the first address in an unreserved CIDR
/28
internal IP range. This IP range must not overlap with any existing IP address reservations in your VPC network. For example,10.8.0.0
(/28
) will work in most new projects.The subnet that is created is hidden and cannot be used in firewall rules and NAT configurations.
See which IP ranges are currently reserved in the Google Cloud console.
(Optional) To set scaling options for additional control over the connector, click Show Scaling Settings to display the scaling form.
- Set the minimum and maximum number of instances for your connector,
or use the defaults, which are 2 (min) and 10 (max). The
connector scales out to the maximum specified if traffic usage requires
it, but the connector does not scale back in when traffic decreases.
You must use values between
2
and10
. - In the Instance Type menu, choose the machine type to be
used for the connector, or use the default
e2-micro
. Notice the cost sidebar on the right when you choose the instance type, which displays bandwidth and cost estimations.
- Set the minimum and maximum number of instances for your connector,
or use the defaults, which are 2 (min) and 10 (max). The
connector scales out to the maximum specified if traffic usage requires
it, but the connector does not scale back in when traffic decreases.
You must use values between
Click Create.
A green check mark will appear next to the connector's name when it is ready to use.
gcloud
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
Update
gcloud
components to the latest version:gcloud components update
Ensure that the Serverless VPC Access API is enabled for your project:
gcloud services enable vpcaccess.googleapis.com
If you are using Shared VPC, which requires you to use your own subnet, create a connector with the following command:
gcloud compute networks vpc-access connectors create CONNECTOR_NAME \ --region REGION \ --subnet SUBNET \ # If you are not using Shared VPC, omit the following line. --subnet-project HOST_PROJECT_ID \ # Optional: specify minimum and maximum instance values between 2 and 10, default is 2 min, 10 max. --min-instances MIN \ --max-instances MAX \ # Optional: specify machine type, default is e2-micro --machine-type MACHINE_TYPE
Replace the following:
CONNECTOR_NAME
: a name for your connector. This must be in accordance with the Compute Engine naming convention, with the additional restriction that it be less than 21 characters with hyphens (-) counting as two characters.REGION
: a region for your connector; this must match the region of your serverless service or job. If your service or job is in the regionus-central
oreurope-west
, useus-central1
oreurope-west1
.SUBNET
: the name of an unused/28
subnet.- Subnets must be used exclusively by the connector. They cannot be used by other resources such as VMs, Private Service Connect, or load balancers.
- To confirm that your subnet is not used for
Private Service Connect or Cloud Load Balancing, check
that the subnet
purpose
isPRIVATE
by running the following command in the gcloud CLI:gcloud compute networks subnets describe SUBNET_NAME
Replace:- SUBNET_NAME: the name of your subnet.
HOST_PROJECT_ID
: the ID of the host project; supply this only if you are using Shared VPC.MIN
: the minimum number of instances to use for the connector. Use an integer between2
and9
. Default is2
. To learn about connector scaling, see Throughput and scaling.MAX
: the maximum number of instances to use for the connector. Use an integer between3
and10
. Default is10
. If traffic requires it, the connector scales out to[MAX]
instances, but does not scale back in. To learn about connector scaling, see Throughput and scaling.MACHINE_TYPE
:f1-micro
,e2-micro
, ore2-standard-4
. To learn about connector throughput, including machine type and scaling, see Throughput and scaling.
For more details and optional arguments, see the
gcloud
reference.If you are not using Shared VPC and want to supply a custom IP range instead of using an existing subnet, create a connector with the following command:
gcloud compute networks vpc-access connectors create CONNECTOR_NAME \ --network VPC_NETWORK \ --region REGION \ --range IP_RANGE
Replace the following:
CONNECTOR_NAME
: a name for your connector. This must be in accordance with the Compute Engine naming convention, with the additional restriction that it be less than 21 characters with hyphens (-
) counting as two characters.VPC_NETWORK
: the VPC network to attach your connector to.REGION
: a region for your connector. This must match the region of your serverless service or job. If your service or job is in the regionus-central
oreurope-west
, useus-central1
oreurope-west1
.IP_RANGE
: an unreserved internal IP network, and a/28
of unallocated space is required. The value supplied is the network in CIDR notation (10.8.0.0/28
). This IP range must not overlap with any existing IP address reservations in your VPC network. For example,10.8.0.0/28
works in most new projects. The subnet that is created for this range is hidden and cannot be used in firewall rules and NAT configurations.
For more details and optional arguments such as throughput controls, see the
gcloud
reference.Verify that your connector is in the
READY
state before using it:gcloud compute networks vpc-access connectors describe CONNECTOR_NAME \ --region REGION
Replace the following:
CONNECTOR_NAME
: the name of your connector; this is the name that you specified in the previous step.REGION
: the region of your connector; this is the region that you specified in the previous step.
The output should contain the line
state: READY
.
Terraform
You can use a Terraform resource
to enable the vpcaccess.googleapis.com
API.
You can use Terraform modules to create a VPC network and subnet and then create the connector.
Configure your serverless environment to use a connector
After you create a Serverless VPC Access connector, configure your serverless environment to use the connector by following the instructions for your serverless environment:
IPv6 traffic is not supported.
Configure Cloud Run to use a connector
When you create a new service or deploy a new revision, you can configure the service to use a connector by using the Google Cloud console, Google Cloud CLI, a YAML file, or a Terraform resource.
Console
Click Create Service if you are configuring a new service you are deploying to. If you are configuring an existing service, click on the service, then click Edit and Deploy New Revision.
If you are configuring a new service, fill out the initial service settings page as desired, then click Container, Networking, Security to expand the service configuration page.
Click the Connections tab.
- In the VPC Connector field, select a connector to use or select None to disconnect your service from a VPC network.
Click Create or Deploy.
gcloud
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
To specify a connector during deployment, use the
--vpc-connector
flag:gcloud run deploy SERVICE --image IMAGE_URL --vpc-connector CONNECTOR_NAME
- Replace
SERVICE
with the name of your service. - Replace
IMAGE_URL
. - Replace
CONNECTOR_NAME
with the name of your connector. If your connector is in the host project of a Shared VPC, this must be the fully specified name, for example:projects/HOST_PROJECT_ID/locations/CONNECTOR_REGION/connectors/CONNECTOR_NAME
where HOST_PROJECT_ID is the ID of the host project, CONNECTOR_REGION is the region of your connector, and CONNECTOR_NAME is the name that you gave your connector.
To attach, update, or remove a connector for an existing service, use the
gcloud run services update
command with either of the following flags as needed:For example to attach or update a connector:
gcloud run services update SERVICE --vpc-connector CONNECTOR_NAME
- Replace
SERVICE
with the name of your service. - Replace
CONNECTOR_NAME
with the name of your connector.
- Replace
YAML
You can download and view existing service configurations using the
gcloud run services describe --format export
command, which yields
cleaned results in YAML format.
You can then modify the fields described below and
upload the modified YAML using the gcloud run services replace
command.
Make sure you only modify fields as documented.
To view and download the configuration:
gcloud run services describe SERVICE --format export > service.yaml
Add or update the
run.googleapis.com/vpc-access-connector
attribute under theannotations
attribute under the top-levelspec
attribute:apiVersion: serving.knative.dev/v1 kind: Service metadata: name: SERVICE spec: template: metadata: annotations: run.googleapis.com/vpc-access-connector: CONNECTOR_NAME
- Replace
SERVICE
with the name of your Cloud Run service. - Replace
CONNECTOR_NAME
with the name of your connector. If your connector is in the host project of a Shared VPC, this must be the fully specified name, for example:projects/HOST_PROJECT_ID/locations/CONNECTOR_REGION/connectors/CONNECTOR_NAME
where HOST_PROJECT_ID is the ID of the host project, CONNECTOR_REGION is the region of your connector, and CONNECTOR_NAME is the name that you gave your connector.
- Replace
Replace the service with its new configuration using the following command:
gcloud beta run services replace service.yaml
Terraform
You can use a Terraform resource to create a service and configure it to use your connector.
Configure Cloud Functions to use a connector
You can configure a function to use a connector from the Google Cloud console or the Google Cloud CLI:
Console
Go to the Cloud Functions overview page in the Google Cloud console:
Click Create function. Alternatively, click an existing function to go to its details page, and click Edit.
Expand the advanced settings by clicking RUNTIME, BUILD AND CONNECTIONS SETTINGS.
In the Connections tab under Egress settings, enter the name of your connector in the VPC connector field.
gcloud
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
Use the
gcloud functions deploy
command to deploy the function and specify the--vpc-connector
flag:gcloud functions deploy FUNCTION_NAME \ --vpc-connector CONNECTOR_NAME \ FLAGS...
where:
FUNCTION_NAME
is the name of your function.CONNECTOR_NAME
is the name of your connector. If your connector is in the host project of a Shared VPC, this must be the fully specified name, for example:projects/HOST_PROJECT_ID/locations/CONNECTOR_REGION/connectors/CONNECTOR_NAME
where HOST_PROJECT_ID is the ID of the host project, CONNECTOR_REGION is the region of your connector, and CONNECTOR_NAME is the name that you gave your connector.FLAGS...
refers to other flags you pass during function deployment.
For more control over which requests are routed through the connector, see Egress settings.
Configure App Engine to use a connector
Python 2
Discontinue use of the App Engine URL Fetch service.
By default, all requests are routed through URL Fetch service. This causes requests to your VPC network to fail. To disable this default, see Disabling URL Fetch from handling all outbound requests.
You can still use the
urlfetch
library directly for individual requests if needed, however this is not recommended.Add the Serverless VPC Access field to your
app.yaml
file:vpc_access_connector: name: projects/PROJECT_ID/locations/REGION/connectors/CONNECTOR_NAME
Replace the following:
PROJECT_ID
with your Google Cloud project ID. If your connector is in the host project of a Shared VPC, this must be the ID of the host project.REGION
with the region that your connector is in.CONNECTOR_NAME
with the name of your connector.
Deploy the service:
gcloud app deploy
After you deploy your service, it is able to send requests to internal IP addresses in order to access resources in your VPC network.
Java 8
Discontinue use of the App Engine URL Fetch service
URLFetchService
.Add the Serverless VPC Access element to your service's
appengine-web.xml
file:<vpc-access-connector> <name>projects/PROJECT_ID/locations/REGION/connectors/CONNECTOR_NAME</name> </vpc-access-connector>
Replace the following:
PROJECT_ID
with your Google Cloud project ID. If your connector is in the host project of a Shared VPC, this must be the ID of the host project.REGION
with the region that your connector is in.CONNECTOR_NAME
with the name of your connector.
Deploy the service:
gcloud app deploy WEB-INF/appengine-web.xml
After you deploy your service, it is able to send requests to internal IP addresses in order to access resources in your VPC network.
Go 1.11
Discontinue use of the App Engine URL Fetch service.
Serverless VPC Access does not support URL Fetch, and requests made using URL Fetch will ignore Serverless VPC Access settings. Make outbound connections with sockets instead.
Add the Serverless VPC Access field to your
app.yaml
file:vpc_access_connector: name: projects/PROJECT_ID/locations/REGION/connectors/CONNECTOR_NAME
Replace the following:
PROJECT_ID
with your Google Cloud project IDREGION
with the region that your connector is inCONNECTOR_NAME
with the name of your connector
Deploy the service:
gcloud app deploy
After you deploy your service, it is able to send requests to internal IP addresses in order to access resources in your VPC network.
All other runtimes
Add the Serverless VPC Access field to your
app.yaml
file:vpc_access_connector: name: projects/PROJECT_ID/locations/REGION/connectors/CONNECTOR_NAME
Replace the following:
PROJECT_ID
with your Google Cloud project ID. If your connector is in the host project of a Shared VPC, this must be the ID of the host project.REGION
with the region that your connector is in.CONNECTOR_NAME
with the name of your connector.
Deploy the service:
gcloud app deploy
After you deploy your service, it is able to send requests to internal IP addresses in order to access resources in your VPC network.
Restrict access to VPC resources
You can restrict your connector's access to VPC networks by using VPC firewall rules or rules in firewall policies.
When connecting to a Shared VPC network with connectors in the service projects, firewall rules are not automatically created. A user with the Security Administrator role on the host project sets firewall rules when they configure the host project.
Allow ingress from serverless infrastructure to connector
Your connector VMs must allow ingress from NAT ranges 107.178.230.64/26
and
35.199.224.0/19
. These ranges are used by underlying Google serverless
infrastructure to ensure that services from Cloud Run, Cloud Functions,
and App Engine can send packets to the connector.
To allow ingress from these ranges, run the following command:
gcloud compute firewall-rules create RULE_NAME \ --action=ALLOW \ --rules=TCP \ --source-ranges=107.178.230.64/26,35.199.224.0/19 \ --target-tags=VPC_CONNECTOR_NETWORK_TAG \ --direction=INGRESS \ --network=VPC_NETWORK \ --priority=PRIORITY
Replace the following:
- RULE_NAME: the name of your new firewall rule. For example,
allow-nat-ingress
. - VPC_CONNECTOR_NETWORK_TAG: the universal connector network tag if you want to restrict access for all connectors (including any connectors made in the future), or the unique network tag if you want to restrict access for a specific connector.
- VPC_NETWORK: the name of your VPC network
- PRIORITY: an integer between 0-65535. For example, 0 sets the highest priority.
When connecting to a standalone VPC network or a Shared VPC network that has the connector in the host project, Serverless VPC Access creates an ingress allow firewall rule with settings similar to those shown in the preceding command. This rule uses priority 1000. The firewall rule is not visible in the Google Cloud console and exists only as long as the associated connector exists. If you don't want your connector to be able to reach all destinations in your VPC network, you can restrict its access.
You can restrict connector access by creating ingress rules on the destination resource, or by creating egress rules on the VPC connector.
Restrict access using ingress rules
Choose either network tags or CIDR ranges to control the incoming traffic to your VPC network.
Network tags
The following steps show how to create ingress rules that restrict a connector's access to your VPC network based on the connector network tags.
Ensure that you have the required permissions to insert firewall rules. You must have one of the following Identity and Access Management (IAM) roles:
- Compute Security Admin role
- Custom IAM role with the
compute.firewalls.create
permission enabled
Deny connector traffic across your VPC network.
Create an ingress firewall rule with priority lower than 1000 on your VPC network to deny ingress from the connector network tag. This overrides the implicit firewall rule that Serverless VPC Access creates on your VPC network by default.
gcloud compute firewall-rules create RULE_NAME \ --action=DENY \ --rules=PROTOCOL \ --source-tags=VPC_CONNECTOR_NETWORK_TAG \ --direction=INGRESS \ --network=VPC_NETWORK \ --priority=PRIORITY
Replace the following:
RULE_NAME: the name of your new firewall rule. For example,
deny-vpc-connector
.PROTOCOL: one or more protocols that you want to allow from your VPC connector. Supported protocols are
tcp
orudp
. For example,tcp:80,udp
allows TCP traffic through port 80 and UDP traffic. For more information, see the documentation for theallow
flag.For security and validation purposes, you can also configure deny rules to block traffic for the following unsupported protocols:
ah
,all
,esp
,icmp
,ipip
, andsctp
.VPC_CONNECTOR_NETWORK_TAG: the universal connector network tag if you want to restrict access for all connectors (including any connectors made in the future), or the unique network tag if you want to restrict access for a specific connector.
- Universal network tag:
vpc-connector
Unique network tag:
vpc-connector-REGION-CONNECTOR_NAME
Replace:
- REGION: the region of the connector that you want to restrict
- CONNECTOR_NAME: the name of the connector that you want to restrict
To learn more about connector network tags, see Network tags.
- Universal network tag:
VPC_NETWORK: the name of your VPC network
PRIORITY: an integer between 0-65535. For example, 0 sets the highest priority.
Allow connector traffic to the resource that should receive connector traffic.
Use the
allow
andtarget-tags
flags to create an ingress firewall rule targeting the resource in your VPC network that you want the VPC connector to access. Set the priority for this rule to be a lower value than the priority of the rule you made in the previous step.gcloud compute firewall-rules create RULE_NAME \ --allow=PROTOCOL \ --source-tags=VPC_CONNECTOR_NETWORK_TAG \ --direction=INGRESS \ --network=VPC_NETWORK \ --target-tags=RESOURCE_TAG \ --priority=PRIORITY
Replace the following:
RULE_NAME: the name of your new firewall rule. For example,
allow-vpc-connector-for-select-resources
.PROTOCOL: one or more protocols that you want to allow from your VPC connector. Supported protocols are
tcp
orudp
. For example,tcp:80,udp
allows TCP traffic through port 80 and UDP traffic. For more information, see the documentation for theallow
flag.VPC_CONNECTOR_NETWORK_TAG: the universal connector network tag if you want to restrict access for all connectors (including any connectors made in the future), or the unique network tag if you want to restrict access for a specific connector. This must match the network tag that you specified in the previous step.
- Universal network tag:
vpc-connector
Unique network tag:
vpc-connector-REGION-CONNECTOR_NAME
Replace:
- REGION: the region of the connector that you want to restrict
- CONNECTOR_NAME: the name of the connector that you want to restrict
To learn more about connector network tags, see Network tags.
- Universal network tag:
VPC_NETWORK: the name of your VPC network
RESOURCE_TAG: the network tag for the VPC resource that you want your VPC connector to access
PRIORITY: an integer less than the priority you set in the previous step. For example, if you set the priority for the rule you created in the previous step to 990, try 980.
For more information about the required and optional flags for creating
firewall rules, refer to the
documentation for gcloud compute firewall-rules create
.
CIDR range
The following steps show how to create ingress rules that restrict a connector's access to your VPC network based on the connector's CIDR range.
Ensure that you have the required permissions to insert firewall rules. You must have one of the following Identity and Access Management (IAM) roles:
- Compute Security Admin role
- Custom IAM role with the
compute.firewalls.create
permission enabled
Deny connector traffic across your VPC network.
Create an ingress firewall rule with priority lower than 1000 on your VPC network to deny ingress from the connector's CIDR range. This overrides the implicit firewall rule that Serverless VPC Access creates on your VPC network by default.
gcloud compute firewall-rules create RULE_NAME \ --action=DENY \ --rules=PROTOCOL \ --source-ranges=VPC_CONNECTOR_CIDR_RANGE \ --direction=INGRESS \ --network=VPC_NETWORK \ --priority=PRIORITY
Replace the following:
RULE_NAME: the name of your new firewall rule. For example,
deny-vpc-connector
.PROTOCOL: one or more protocols that you want to allow from your VPC connector. Supported protocols are
tcp
orudp
. For example,tcp:80,udp
allows TCP traffic through port 80 and UDP traffic. For more information, see the documentation for theallow
flag.For security and validation purposes, you can also configure deny rules to block traffic for the following unsupported protocols:
ah
,all
,esp
,icmp
,ipip
, andsctp
.VPC_CONNECTOR_CIDR_RANGE: the CIDR range for the connector whose access you are restricting
VPC_NETWORK: the name of your VPC network
PRIORITY: an integer between 0-65535. For example, 0 sets the highest priority.
Allow connector traffic to the resource that should receive connector traffic.
Use the
allow
andtarget-tags
flags to create an ingress firewall rule targeting the resource in your VPC network that you want the VPC connector to access. Set the priority for this rule to be a lower value than the priority of the rule you made in the previous step.gcloud compute firewall-rules create RULE_NAME \ --allow=PROTOCOL \ --source-ranges=VPC_CONNECTOR_CIDR_RANGE \ --direction=INGRESS \ --network=VPC_NETWORK \ --target-tags=RESOURCE_TAG \ --priority=PRIORITY
Replace the following:
RULE_NAME: the name of your new firewall rule. For example,
allow-vpc-connector-for-select-resources
.PROTOCOL: one or more protocols that you want to allow from your VPC connector. Supported protocols are
tcp
orudp
. For example,tcp:80,udp
allows TCP traffic through port 80 and UDP traffic. For more information, see the documentation for theallow
flag.VPC_CONNECTOR_CIDR_RANGE: the CIDR range for the connector you whose access you are restricting
VPC_NETWORK: the name of your VPC network
RESOURCE_TAG: the network tag for the VPC resource that you want your VPC connector to access
PRIORITY: an integer less than the priority you set in the previous step. For example, if you set the priority for the rule you created in the previous step to 990, try 980.
For more information about the required and optional flags for creating
firewall rules, see the
documentation for gcloud compute firewall-rules create
.
Restrict access using egress rules
The following steps show how to create egress rules to restrict connector access.
Ensure that you have the required permissions to insert firewall rules. You must have one of the following Identity and Access Management (IAM) roles:
- Compute Security Admin role
- Custom IAM role with the
compute.firewalls.create
permission enabled
Deny egress traffic from your connector.
Create an egress firewall rule on your Serverless VPC Access connector to prevent it from sending outgoing traffic, with the exception of established responses, to any destination.
gcloud compute firewall-rules create RULE_NAME \ --action=DENY \ --rules=PROTOCOL \ --direction=EGRESS \ --target-tags=VPC_CONNECTOR_NETWORK_TAG \ --network=VPC_NETWORK \ --priority=PRIORITY
Replace the following:
RULE_NAME: the name of your new firewall rule. For example,
deny-vpc-connector
.PROTOCOL: one or more protocols that you want to allow from your VPC connector. Supported protocols are
tcp
orudp
. For example,tcp:80,udp
allows TCP traffic through port 80 and UDP traffic. For more information, see the documentation for theallow
flag.For security and validation purposes, you can also configure deny rules to block traffic for the following unsupported protocols:
ah
,all
,esp
,icmp
,ipip
, andsctp
.VPC_CONNECTOR_NETWORK_TAG: the universal VPC connector network tag if you want the rule to apply to all existing VPC connectors and any VPC connectors made in the future. Or, the unique VPC connector network tag if you want to control a specific connector.
VPC_NETWORK: the name of your VPC network
PRIORITY: an integer between 0-65535. For example, 0 sets the highest priority.
Allow egress traffic when the destination is in the CIDR range that you want your connector to access.
Use the
allow
anddestination-ranges
flags to create a firewall rule allowing egress traffic from your connector for a specific destination range. Set the destination range to the CIDR range of the resource in your VPC network that you want your connector to be able to access. Set the priority for this rule to be a lower value than the priority of the rule you made in the previous step.gcloud compute firewall-rules create RULE_NAME \ --allow=PROTOCOL \ --destination-ranges=RESOURCE_CIDR_RANGE \ --direction=EGRESS \ --network=VPC_NETWORK \ --target-tags=VPC_CONNECTOR_NETWORK_TAG \ --priority=PRIORITY
Replace the following:
RULE_NAME: the name of your new firewall rule. For example,
allow-vpc-connector-for-select-resources
.PROTOCOL: one or more protocols that you want to allow from your VPC connector. Supported protocols are
tcp
orudp
. For example,tcp:80,udp
allows TCP traffic through port 80 and UDP traffic. For more information, see the documentation for theallow
flag.RESOURCE_CIDR_RANGE: the CIDR range for the connector whose access you are restricting
VPC_NETWORK: the name of your VPC network
VPC_CONNECTOR_NETWORK_TAG: the universal VPC connector network tag if you want the rule to apply to all existing VPC connectors and any VPC connectors made in the future. Or, the unique VPC connector network tag if you want to control a specific connector. If you used the unique network tag in the previous step, use the unique network tag.
PRIORITY: an integer less than the priority you set in the previous step. For example, if you set the priority for the rule you created in the previous step to 990, try 980.
For more information about the required and optional flags for creating firewall
rules, refer to the
documentation for gcloud compute firewall-rules create
.
Update a connector
You can update the following attributes of your connector by using the Google Cloud console, Google Cloud CLI, or the API:
- Machine (instance) type
- Minimum and maximum number of instances
Update machine type
Console
Go to the Serverless VPC Access overview page.
Select the connector you want to edit and click Edit.
The Connector details page displays charts for the connector's throughput, number of instances, and CPU utilization metrics.
In the Instance type list, select your preferred machine (instance) type. To learn about available machine types, see the documentation on Throughput and scaling.
gcloud
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
To update the connector machine type, run the following command in your terminal:
gcloud beta compute networks vpc-access connectors update CONNECTOR_NAME --region=REGION --machine-type=MACHINE_TYPE
Replace the following:CONNECTOR_NAME
: the name of your connectorREGION
: the name of your connector's regionMACHINE_TYPE
: your preferred machine type. To learn about available machine types, see the documentation on Throughput and scaling.
Decrease minimum and maximum number of instances
To decrease the number of minimum and maximum number of instances, you must do the following:
- Create a new connector with your preferred values.
- Update your service or function to use the new connector.
- Delete the old connector when you've moved its traffic.
See Create Serverless VPC Access connector for more information.
Increase minimum and maximum number of instances
Console
Go to the Serverless VPC Access overview page.
Select the connector you want to edit and click Edit.
In the Minimum instances field, select your preferred minimum number of instances.
The smallest possible value for this field is the current value. The largest possible value for this field is the current value in the Maximum instances field minus 1. For example, if the value in the Maximum instances field is 8, then the largest possible value for the Minimum instances field is 7.
In the Maximum instances field, select your preferred maximum number of instances.
The smallest possible value for this field is the current value. The largest possible value for this field is 10.
gcloud
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
To increase the minimum or maximum number of instances for the connector, run the following command in your terminal:
gcloud beta compute networks vpc-access connectors update CONNECTOR_NAME --region=REGION --min-instances=MIN_INSTANCES --max-instances=MAX_INSTANCES
Replace the following:
CONNECTOR_NAME
: the name of your connectorREGION
: the name of your connector's regionMIN_INSTANCES
: your preferred minimum number of instances.- Smallest possible value for this field is the current value of
min_instances
. To find the current value, see Find the current attribute values. - Largest possible value for this field is the current
max_instances
value minus 1, becausemin_instances
must be less thanmax_instances
. For example, ifmax_instances
is 8, the largest possible value for this field is 7. If your connector uses the defaultmax-instances
value of 10, then the largest possible value of this field is 9. To find the value ofmax-instances
, see Find the current attribute values.
- Smallest possible value for this field is the current value of
MAX_INSTANCES
:- Smallest possible value for this field is the current value of
max_instances
. To find the current value, see Find the current attribute values. - Largest possible value for this field is 10.
If you only want to increase the minimum number of instances but not the maximum, you must still specify the maximum number of instances. Conversely, if you only want to update the maximum number of instances but not the minimum, you must still specify the minimum number of instances. To keep either the minimum or maximum number of instances at their current value, specify their current value. To find their current value, see Find the current attribute values.
- Smallest possible value for this field is the current value of
Find the current attribute values
To find the current attribute values for your connector, run the following in your terminal:
gcloud compute networks vpc-access connectors describe CONNECTOR_NAME --region=REGION --project=PROJECT
Replace the following:CONNECTOR_NAME
: the name of your connectorREGION
: the name of your connector's regionPROJECT
: the name of your Google Cloud project
Delete a connector
Before you delete a connector, ensure that no services or jobs are still connected to it.
For Shared VPC users who set up connectors in the Shared VPC
host project, you can use the command
gcloud compute networks vpc-access connectors describe
to list the projects in which there are services or jobs that use a given
connector.
To delete a connector, use the Google Cloud console or the Google Cloud CLI:
Console
Go to the Serverless VPC Access overview page in the Google Cloud console:
Select the connector you want to delete.
Click Delete.
gcloud
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
Use the following
gcloud
command to delete a connector:gcloud compute networks vpc-access connectors delete CONNECTOR_NAME --region=REGION
Replace the following:
- CONNECTOR_NAME with the name of the connector you want to delete
- REGION with the region where the connector is located
Troubleshooting
Service account permissions
To perform operations in your Google Cloud project, Serverless VPC Access uses the Serverless VPC Access Service Agent service account. This service account's email address has the following form:
service-PROJECT_NUMBER@gcp-sa-vpcaccess.iam.gserviceaccount.com
By default, this service account has the
Serverless VPC Access Service Agent role
(roles/vpcaccess.serviceAgent
). Serverless VPC Access
operations may fail if you change this account's permissions.
Errors
Connector creation error
If creating a connector results in an error, try the following:
- Specify an RFC 1918 internal IP range that does not overlap with any existing IP address reservations in the VPC network.
- Grant your project permission to use Compute Engine VM images from the
project with ID
serverless-vpc-access-images
. For more information about how to update your organization policy accordingly, see Set image access constraints.
Unable to access resources
If you specified a connector but still cannot access resources in your VPC network, make sure that there are no firewall rules on your VPC network with a priority lower than 1000 that deny ingress from your connector's IP address range.
Connection refused error
If you receive connection refused
errors that degrade network performance,
your connections could be growing without limit across invocations of your
serverless application. To limit the maximum number of connections used per
instance, use a client library that supports connection pools. For detailed
examples of how to use connection pools, see
Manage database connections.
Resource not found error
When deleting a VPC network or a firewall rule, you might see a
message that is similar to the following: The resource
"aet-uscentral1-subnet--1-egrfw" was not found.
For information about this error and its solution, see Resource not found error in the VPC firewall rules documentation.
Next steps
- Monitor admin activity with Serverless VPC Access audit logging.
- Protect resources and data by creating a service perimeter with VPC Service Controls.
- Learn about the Identity and Access Management (IAM) roles associated with Serverless VPC Access. See Serverless VPC Access roles in the IAM documentation for a list of permissions associated with each role.
- Learn how to connect to Memorystore from: