Serverless VPC Access enables you to connect from a serverless environment on Google Cloud (Cloud Run (fully managed), Cloud Functions, or the App Engine standard environment) directly to your VPC network. This connection makes it possible for your serverless environment to access Compute Engine VM instances, Memorystore instances, and any other resources with an internal IP address. For example, this can be helpful in the following cases:
- You use Memorystore to store data for a serverless service.
- Your serverless workloads use third-party software that you run on a Compute Engine VM.
- You run a backend service on a Managed Instance Group in Compute Engine and need your serverless environment to communicate with this backend without exposure to the public internet.
- Your serverless environment needs to access data from your on-premises database through Cloud VPN.
Connection to a VPC network enables your serverless environment to send requests to internal DNS names and internal IP addresses as defined by RFC 1918 and RFC 6598. These internal addresses are only accessible from Google Cloud services. Using internal addresses avoids exposing resources to the public internet and improves the latency of communication between your services.
Serverless VPC Access only allows requests to be initiated by the serverless environment. Requests initiated by a VM must use the external address of your serverless service—see Private Google Access for more information.
Serverless VPC Access connectors
Serverless VPC Access is based on a resource called a connector. A connector handles traffic between your serverless environment and your VPC network. When you create a connector in your Google Cloud project, you attach it to a specific VPC network and region. You can then configure your serverless services to use the connector for outbound network traffic.
When you create a connector, you also assign it an IP range. Traffic sent
through the connector into your VPC network will originate from
an address in this range. The IP range must be a CIDR
/28 range that is not
already reserved in your VPC network. An implicit
firewall rule with priority 1000 is
created on your VPC network to allow ingress
from the connector's IP range to all destinations in the network.
Serverless VPC Access automatically provisions throughput for a connector in 100 Mbps increments depending on the amount of traffic sent through the connector. Automatically provisioned throughput can only scale up and does not scale down. A connector always has at least 200 Mbps provisioned and can scale up to 1000 Mbps. You can configure throughput scaling limits when you create a connector; note that actual throughput through a connector may exceed the provisioned throughput, especially for short traffic bursts.
Serverless VPC Access connectors incur a monthly charge based on usage. See Pricing for details.
- A connector must be located in the same project as the serverless service (such as Cloud Run services, App Engine apps, or Cloud Functions) that connects to it, unless you use Shared VPC. In Shared VPC setup the connector is in the host project, and serverless service is in service project.
- A connector must be located in the same region as the serverless service that connects to it. See Supported regions for the list of regions in which you can create a connector.
- Traffic to internal IP addresses and internal DNS names is routed through the connector. By default, traffic to external IP addresses is routed through the internet.
- You can use the same connector with multiple serverless services.
For resources (such as Google Cloud VM instances or GKE clusters) that allow cross-region access, a connector can be in a different region than the resource it is sending traffic to. You are billed for egress from the connector—see Pricing.
Creating a connector
To create a connector, use the Cloud Console or the
Ensure the Serverless VPC Access API is enabled for your project:
Go to the Serverless VPC Access overview page.
Click Create connector.
In the Name field, enter a name for your connector.
In the Region field, select a region for your connector. This must match the region of your serverless service—see Supported regions.
In the Network field, select the VPC network to attach your connector to.
In the IP range field, enter the first address in an unreserved CIDR
/28internal IP range. This IP range must not overlap with any existing IP address reservations in your VPC network. For example,
/28) will work in most new projects.
(Optional) For additional control over your connector's throughput, edit the Minimum throughput and Maximum throughput fields.
A green check mark will appear next to the connector's name when it is ready to use.
gcloudcomponents to the latest version:
gcloud components update
Ensure the Serverless VPC Access API is enabled for your project:
gcloud services enable vpcaccess.googleapis.com
Create a connector with the command:
gcloud compute networks vpc-access connectors create [CONNECTOR_NAME] \ --network [VPC_NETWORK] \ --region [REGION] \ --range [IP_RANGE]
[CONNECTOR_NAME]is a name for your connector.
[VPC_NETWORK]is the VPC network to attach your connector to.
[REGION]is a region for your connector. This must match the region of your serverless service—see Supported regions.
[IP_RANGE]is an unreserved internal IP network, and a '/28' of unallocated space is required. The value supplied is the network in CIDR notation (10.8.0.0/28). This IP range must not overlap with any existing IP address reservations in your VPC network. For example,
10.8.0.0/28works in most new projects.
For more details and optional arguments such as throughput controls, see the
Verify that your connector is in the
READYstate before using it:
gcloud compute networks vpc-access connectors describe [CONNECTOR_NAME] --region [REGION]
The output should contain the line
Deleting a connector
Before you delete a connector, ensure that no services are still using it. See the relevant product documentation for information on disconnecting a connector from a service. Also note that you cannot delete a VPC network if a Serverless VPC Access connector is still attached to it. You must delete all attached connectors before deleting the VPC network.
To delete a connector, use the Cloud Console or the
Go to the Serverless VPC Access overview page.
Select the connector you want to delete.
Use the following
gcloud command to delete a connector:
gcloud compute networks vpc-access connectors delete [CONNECTOR_NAME] --region [REGION]
[CONNECTOR_NAME]is the name of the connector you want to delete.
[REGION]is the region where the connector is located.
Using a Shared VPC network
- An administrator of the Shared VPC host project must create a Serverless VPC Access connector within the host project and attach it to the Shared VPC network.
The host project administrator must grant the following accounts the Serverless VPC Access User IAM role on the host project, as applicable:
- Cloud Run: The service project's Cloud Run
- Cloud Functions: The service project's
Cloud Functions Service Agent
- App Engine: The person or service account that performs App Engine deployments in the service project
This IAM role allows serverless environments in service projects to use connectors from the host project.
Go to the IAM page in the Shared VPC host project:
In the New members field, enter the email addresses of the appropriate accounts; see above.
In the Role field, select Serverless VPC Access User.
Grant permissions on the Shared VPC host project with the following command:
gcloud projects add-iam-policy-binding HOST_PROJECT_ID \ --member MEMBER \ --role roles/vpcaccess.user
HOST_PROJECT_IDis the ID of the Shared VPC host project, and
MEMBERis the email address of the appropriate account; see above. Remember to prefix
serviceAccount:depending on the type of account.
Repeat as necessary for multiple accounts.
- Cloud Run: The service project's Cloud Run Service Agent (
After this setup is complete, the associated serverless environments in Shared VPC service projects will be able to specify the host project's connector in order to connect to the Shared VPC network. See Configuring your service to use a connector for details.
Configuring your service to use a connector
After creating a connector, you can configure your serverless services to use it. How you configure a service to use a connector depends on the product. For specific instructions, see the relevant guide:
- Connecting a Cloud Run (fully managed) service to a VPC network
- Connecting Cloud Functions to a VPC network
- Connecting an App Engine standard environment app to a VPC network
After your service is connected to a VPC network, you can reach VM instances and other internal resources by sending requests to their internal IP addresses or DNS names.
Adding VPC Service Controls
Once you have created a connector and configured your service, you can mitigate the risk of data exfiltration and protect resources and data by using VPC Service Controls for the VPC Access API for Serverless.
For general information on enabling VPC Service Controls, see Creating a service perimeter.
You can use Serverless VPC Access to reach a VPC network from the following services:
You can create a Serverless VPC Access connector in the following regions:
Supported networking protocols
The following table describes the protocols supported for each Serverless VPC Access connector eggress setting. See Configuring network settings for more information regarding the available eggress settings.
|Protocol||Route only requests to private IPs through the VPC connector||Route all traffic through the VPC connector|
|ICMP||Supported only for external IP addresses|
Curated IAM roles
The following table describes the Identity and Access Management (IAM) roles associated with Serverless VPC Access. See Serverless VPC Access roles in the IAM documentation for a list of permissions associated with each role.
Serverless VPC Access Admin
||Full access to all Serverless VPC Access resources|
Serverless VPC Access User
||User of Serverless VPC Access connectors|
Serverless VPC Access Viewer
||Viewer of all Serverless VPC Access resources|
To perform operations in your Cloud project, the Serverless VPC Access service uses the Serverless VPC Access Service Agent service account. This service account's email address has the following form:
By default, this service account has the
Serverless VPC Access Service Agent role
roles/vpcaccess.serviceAgent). Serverless VPC Access
operations may fail if you change this account's permissions.
For Serverless VPC Access pricing, see Serverless VPC Access on the VPC pricing page.
If creating a connector results in an error, try the following and re-create your connector:
- Specify an RFC 1918 internal IP range that does not overlap with any existing IP address reservations in the VPC network.
- Grant your project permission to use Compute Engine VM images from the
project with ID
serverless-vpc-access-images. See Setting image access constraints for information on how to update your organization policy accordingly.
- Set the
constraints/compute.vmCanIpForwardorganization policy to allow VMs to enable IP forwarding.
If you've specified a connector for a serverless service but still cannot access resources in your VPC network:
- Make sure there are no firewall rules on your VPC network with a priority before 1000 that deny ingress from your connector's IP range.