Configuring Serverless VPC Access

Serverless VPC Access enables you to connect from a serverless environment on Google Cloud (Cloud Run (fully managed), Cloud Functions, or the App Engine standard environment) directly to your VPC network. This connection makes it possible for your serverless environment to access Compute Engine VM instances, Memorystore instances, and any other resources with an internal IP address. For example, this can be helpful in the following cases:

  • You use Memorystore to store data for a serverless service.
  • Your serverless workloads use third-party software that you run on a Compute Engine VM.
  • You run a backend service on a Managed Instance Group in Compute Engine and need your serverless environment to communicate with this backend without exposure to the public internet.
  • Your serverless environment needs to access data from your on-premises database through Cloud VPN.

With Serverless VPC Access, requests sent from your serverless environment to internal IP addresses (as defined by RFC 1918) or internal DNS names are routed to your VPC network. These internal addresses are only accessible from Google Cloud services. Using internal addresses avoids exposing resources to the public internet and improves the latency of communication between your services.

Serverless VPC Access only allows requests to be initiated by the serverless environment. Requests initiated by a VM must use the external address of your serverless service—see Private Google Access for more information.

Serverless VPC Access supports Shared VPC and communication to networks connected via Cloud Interconnect, Cloud VPN, and VPC Network Peering. Serverless VPC Access does not support legacy networks.

Serverless VPC Access connectors

Serverless VPC Access is based on a resource called a connector. A connector handles traffic between your serverless environment and your VPC network. When you create a connector in your Google Cloud project, you attach it to a specific VPC network and region. You can then configure your serverless services to use the connector for internal network traffic.

When you create a connector, you also assign it an IP range. Traffic sent through the connector into your VPC network will originate from an address in this range. The IP range must be a CIDR /28 range that is not already reserved in your VPC network. An implicit firewall rule with priority 1000 is created on your VPC network to allow ingress from the connector's IP range to all destinations in the network.

Serverless VPC Access automatically provisions throughput for a connector in 100 Mbps increments depending on the amount of traffic sent through the connector. Automatically provisioned throughput can only scale up and does not scale down. A connector always has at least 200 Mbps provisioned and cannot exceed a throughput of 1000 Mbps. You can configure minimum and maximum throughput limits when you create a connector.

Serverless VPC Access connectors incur a monthly charge based on usage. See Pricing for details.

Serverless VPC Access example (click to enlarge)
Serverless VPC Access example (click to enlarge)

Note that:

  • A connector must be located in the same project and region as the serverless service that connects to it. See Supported regions for the list of regions in which you can create a connector.
  • Traffic to internal IP addresses and internal DNS names is routed through the connector. By default, traffic to external IP addresses is routed through the internet.
  • You can use the same connector with multiple serverless services.
  • For resources that allow cross-region access, a connector can be in a different region than the resource it is sending traffic to. You are billed for egress from the connector—see Pricing.

Creating a connector

To create a connector, use the Cloud Console or the gcloud command-line tool:

Console

  1. Ensure the Serverless VPC Access API is enabled for your project:

    Enable API

  2. Go to the Serverless VPC Access overview page.

    Go to Serverless VPC Access

  3. Click Create connector.

  4. In the Name field, enter a name for your connector.

  5. In the Region field, select a region for your connector. This must match the region of your serverless service—see Supported regions.

  6. In the Network field, select the VPC network to attach your connector to.

  7. In the IP range field, enter an unreserved CIDR /28 internal IP range. This IP range must not overlap with any existing IP address reservations in your VPC network. For example, 10.8.0.0/28 will work in most new projects.

  8. (Optional) For additional control over your connector's throughput, edit the Minimum throughput and Maximum throughput fields.

  9. Click Create.

A green check mark will appear next to the connector's name when it is ready to use.

gcloud

  1. Update gcloud components to the latest version:

    gcloud components update
    
  2. Ensure the Serverless VPC Access API is enabled for your project:

    gcloud services enable vpcaccess.googleapis.com
    
  3. Create a connector with the command:

    gcloud compute networks vpc-access connectors create [CONNECTOR_NAME] \
    --network [VPC_NETWORK] \
    --region [REGION] \
    --range [IP_RANGE]
    

    Where:

    • [CONNECTOR_NAME] is a name for your connector.
    • [VPC_NETWORK] is the VPC network to attach your connector to.
    • [REGION] is a region for your connector. This must match the region of your serverless service—see Supported regions.
    • [IP_RANGE] is an unreserved CIDR /28 internal IP range. This IP range must not overlap with any existing IP address reservations in your VPC network. For example, 10.8.0.0/28 will work in most new projects.

    For more details and optional arguments such as throughput controls, see the gcloud reference.

  4. Verify that your connector is in the READY state before using it:

    gcloud compute networks vpc-access connectors describe [CONNECTOR_NAME] --region [REGION]
    

    The output should contain the line state: READY.

Deleting a connector

Before you delete a connector, ensure that no services are still using it. See the relevant product documentation for information on disconnecting a connector from a service. Also note that you cannot delete a VPC network if a Serverless VPC Access connector is still attached to it. You must delete all attached connectors before deleting the VPC network.

To delete a connector, use the Cloud Console or the gcloud command-line tool:

Console

  1. Go to the Serverless VPC Access overview page.

    Go to Serverless VPC Access

  2. Select the connector you want to delete.

  3. Click Delete.

gcloud

Use the following gcloud command to delete a connector:

gcloud compute networks vpc-access connectors delete [CONNECTOR_NAME] --region [REGION]

Where:

  • [CONNECTOR_NAME] is the name of the connector you want to delete.
  • [REGION] is the region where the connector is located.

Configuring your service to use a connector

After creating a connector, you can configure your serverless services to use it. How you configure a service to use a connector depends on the product. For specific instructions, see the relevant guide:

Supported services

You can use Serverless VPC Access to reach a VPC network from the following services:

Supported regions

You can create a Serverless VPC Access connector in the following regions:

  • asia-east2
  • asia-northeast1
  • asia-south1
  • australia-southeast1
  • europe-west1
  • europe-west2
  • europe-west3
  • europe-west6
  • northamerica-northeast1
  • southamerica-east1
  • us-central1
  • us-east1
  • us-east4

Curated IAM roles

The following table describes the Identity and Access Management (IAM) roles associated with Serverless VPC Access. See Serverless VPC Access roles in the IAM documentation for a list of permissions associated with each role.

Role Description
Serverless VPC Access Admin
roles/vpcaccess.admin
Full access to all Serverless VPC Access resources
Serverless VPC Access User
roles/vpaccess.user
User of Serverless VPC Access connectors
Serverless VPC Access Viewer
roles/vpaccess.viewer
Viewer of all Serverless VPC Access resources

Service account

To perform operations in your Cloud project, the Serverless VPC Access service uses the Serverless VPC Access Service Agent service account. This service account's email address has the following form:

service-PROJECT_NUMBER@gcp-sa-vpcaccess.iam.gserviceaccount.com

By default, this service account has the Serverless VPC Access Service Agent role (roles/vpcaccess.serviceAgent). Serverless VPC Access operations may fail if you change this account's permissions.

Audit logging

See Serverless VPC Access audit logging information.

Pricing

Serverless VPC Access is priced as follows.

Resource Price
Serverless VPC Access connector Charged as 1 f1-micro instance per 100 Mbps of throughput automatically provisioned for the connector
Network egress from serverless environment to destination Charged at Compute Engine networking rates

You can view your Serverless VPC Access costs in the Cloud Console by filtering your billing reports by the label key serverless-vpc-access.

Troubleshooting

If creating a connector results in an error, try the following and re-create your connector:

  • Specify an RFC 1918 internal IP range that does not overlap with any existing IP address reservations in the VPC network.
  • Grant your project permission to use Compute Engine VM images from the project with ID serverless-vpc-access-images. See Setting image access constraints for information on how to update your organization policy accordingly.
  • Set the constraints/compute.vmCanIpForward organization policy to allow VMs to enable IP forwarding.

If you've specified a connector for a serverless service but still cannot access resources in your VPC network:

  • Make sure there are no firewall rules on your VPC network with a priority before 1000 that deny ingress from your connector's IP range.