Serverless VPC Access

Serverless VPC Access enables you to connect from a serverless environment on Google Cloud directly to your VPC network. This connection makes it possible for your serverless environment to access resources in your VPC network via internal IP addresses.

With Serverless VPC Access, you create a connector in your Google Cloud project and attach it to a VPC network. You then configure your serverless services (such as Cloud Run services, App Engine apps, or Cloud Functions) to use the connector for internal network traffic.

Serverless VPC Access only allows requests to be initiated by the serverless environment. Requests initiated by a VM must use the external address of your serverless service—see Private Google Access for more information.

Serverless VPC Access does not support legacy networks. For more information, see Configuring Serverless VPC Access.

Supported services

The following Google services support Serverless VPC Access connectors:

  • Cloud Run (fully managed)
  • App Engine standard environment
    • All runtimes except PHP 5
  • Cloud Functions

Example

In the following example, App Engine, Cloud Functions, and Cloud Run use a Serverless VPC Access connector to send requests to internal resources in the VPC network.

Serverless VPC Access example (click to enlarge)
Serverless VPC Access example (click to enlarge)
  • The Serverless VPC Access connector is in the same project and region as the serverless services (such as Cloud Run services, App Engine apps, or Cloud Functions).
  • The connector is attached to the VPC network that contains the destination resources. The connector can access resources in other VPC networks and Google Cloud projects if you use VPC Network Peering.
  • The connector is assigned the IP range 10.8.0.0/28. Requests sent from the connector to the destination have a source IP address in this range.
  • App Engine, Cloud Functions, and Cloud Run reach the destination resources by sending requests to their internal IP addresses, 10.0.0.4 and 10.1.0.2. The destination resources can be in any region. Egress costs apply to traffic sent from the connector to a resource in a different region.
  • Requests sent from the serverless environments to internal IP addresses travel internally through the Serverless VPC Access connector to the destination resource. Requests sent to external IP addresses travel through the internet.

What's next