Serverless VPC Access

Serverless VPC Access makes it possible for you to connect directly to your Virtual Private Cloud network from serverless environments such as Cloud Run, App Engine, or Cloud Functions. Configuring Serverless VPC Access allows your serverless environment to send requests to your VPC network using internal DNS and internal IP addresses (as defined by RFC 1918 and RFC 6598). The responses to these requests also use your internal network.

There are two main benefits to using Serverless VPC Access:

  • Requests sent to your VPC network are never exposed to the internet.
  • Communication through Serverless VPC Access can have less latency compared to the internet.

Serverless VPC Access sends internal traffic from your VPC network to your serverless environment only when that traffic is a response to a request that was sent from your serverless environment through the Serverless VPC Access connector. To learn about sending other internal traffic to your serverless environment, see Private Google Access.

To access resources across multiple VPC networks and Google Cloud projects, you must also configure Shared VPC or VPC Network Peering.

How it works

Serverless VPC Access is based on a resource called a connector. A connector handles traffic between your serverless environment and your VPC network. When you create a connector in your Google Cloud project, you attach it to a specific VPC network and region. You can then configure your serverless services to use the connector for outbound network traffic.

IP address ranges

There are two options for setting the IP address range for a connector:

  • Subnet: You can specify an existing /28 subnet if there are no resources already using the subnet.
  • CIDR range: You can specify an unused /28 CIDR range. Make sure that the range doesn't overlap with any in-use CIDR ranges.

Traffic sent through the connector into your VPC network originates from the subnet or CIDR range that you specify.

Firewall rules

If the subnet is not a shared subnet, an implicit firewall rule with priority 1000 is created on your VPC network to allow ingress from the connector's subnet or custom IP range to all destinations in the network. The implicit firewall rule is not visible in the Google Cloud Console and exists only as long as the associated connector exists.

Scaling

A Serverless VPC Access connector consists of connector instances. Serverless VPC Access automatically provisions connector instances depending on the amount of traffic sent through the connector, subject to the min-instances and max-instances settings. Connector instances only scale out and do not scale in. Connector instances can use one of several machine types. Larger machine types provide more throughput. You can view the estimated throughput and cost for each machine type in the Google Cloud Console.

Network tags

Serverless VPC Access network tags let you refer to VPC connectors in firewall rules and routes.

Every Serverless VPC Access connector automatically receives two network tags (sometimes called instance tags):

  • Universal network tag: vpc-connector Applies to all existing connectors and any connectors made in the future
  • Unique network tag: vpc-connector-REGION-CONNECTOR_NAME Applies to the connector CONNECTOR_NAME in REGION

These network tags cannot be deleted. New network tags cannot be added.

Use cases

You can use Serverless VPC Access to access Compute Engine VM instances, Memorystore instances, and any other resources with internal DNS or internal IP address. Some examples are:

  • You use Memorystore to store data for a serverless service.
  • Your serverless workloads use third-party software that you run on a Compute Engine VM.
  • You run a backend service on a Managed Instance Group in Compute Engine and need your serverless environment to communicate with this backend without exposure to the internet.
  • Your serverless environment needs to access data from your on-premises database through Cloud VPN.

Example

In this example, a Google Cloud project is running multiple services across the following serverless environments: App Engine, Cloud Functions, and Cloud Run.

A Serverless VPC Access connector was created and assigned the IP range 10.8.0.0/28. Therefore, the source IP address for any request sent from the connector is in this range.

There are two resources in the VPC network. One of the resources has the internal IP address 10.0.0.4. The other resource has the internal IP address 10.1.0.2, and is in a different region than the Serverless VPC Access connector.

The connector handles sending and receiving both the requests and responses directly from these internal IP addresses. When the connector sends requests to the resource with internal IP address 10.1.0.2, egress costs apply because that resource is in a different region.

All requests and responses between the serverless environments and the resources in the VPC network travel internally.

Requests sent to external IP addresses still travel through the internet and do not use the Serverless VPC Access connector.

The following diagram shows this configuration.

Serverless VPC Access example (click to enlarge)
Serverless VPC Access example (click to enlarge)

Pricing

For Serverless VPC Access pricing, see Serverless VPC Access on the VPC pricing page.

Supported services

The below table shows which types of networks you can reach using Serverless VPC Access:

Connectivity service Serverless VPC Access support
VPC
Shared VPC
Legacy networks
Networks connected to Cloud Interconnect
Networks connected to Cloud VPN
Networks connected to VPC Network Peering

The below table shows which serverless environments support Serverless VPC Access:

Serverless environment Serverless VPC Access support
Cloud Run
Cloud Run for Anthos*
Cloud Functions
App Engine standard environment All runtimes except PHP 5
App Engine flexible environment*

*If you want to use internal IP addresses when connecting from Cloud Run for Anthos or the App Engine flexible environment, you don't need to configure Serverless VPC Access. Just make sure your service is deployed in a VPC network that has connectivity to the resources you want to reach.

Supported networking protocols

The following table describes the networking protocols supported by Serverless VPC Access connectors.

Protocol Route only requests to private IPs through the VPC connector Route all traffic through the VPC connector
TCP
UDP
ICMP Supported only for external IP addresses

Supported regions

Serverless VPC Access connectors are supported in every region that supports Cloud Run, Cloud Functions, or App Engine standard environment.

To view available regions:

gcloud compute networks vpc-access locations list

What's next