Serverless VPC Access makes it possible for you to connect directly to your Virtual Private Cloud network from serverless environments such as Cloud Run, App Engine, or Cloud Functions. Configuring Serverless VPC Access allows your serverless environment to send requests to your VPC network using internal DNS and internal IP addresses (as defined by RFC 1918 and RFC 6598). The responses to these requests also use your internal network.
There are two main benefits to using Serverless VPC Access:
- Requests sent to your VPC network are never exposed to the internet.
- Communication through Serverless VPC Access can have less latency compared to the internet.
Serverless VPC Access sends internal traffic from your VPC network to your serverless environment only when that traffic is a response to a request that was sent from your serverless environment through the Serverless VPC Access connector. To learn about sending other internal traffic to your serverless environment, see Private Google Access.
How it works
Serverless VPC Access is based on a resource called a connector. A connector handles traffic between your serverless environment and your VPC network. When you create a connector in your Google Cloud project, you attach it to a specific VPC network and region. You can then configure your serverless services to use the connector for outbound network traffic.
IP address ranges
There are two options for setting the IP address range for a connector:
- Subnet: You can specify an existing /28 subnet if there are no resources already using the subnet.
- CIDR range: You can specify an unused /28 CIDR range. Make sure that the range doesn't overlap with any in-use CIDR ranges.
Traffic sent through the connector into your VPC network originates from the subnet or CIDR range that you specify.
If the subnet is not a shared subnet, an implicit firewall rule with priority 1000 is created on your VPC network to allow ingress from the connector's subnet or custom IP range to all destinations in the network. The implicit firewall rule is not visible in the Google Cloud Console and exists only as long as the associated connector exists.
A Serverless VPC Access connector consists of connector
instances. Serverless VPC Access automatically provisions
connector instances depending on the amount of traffic sent through the
connector, subject to the
Connector instances only scale out and do not scale in. Connector instances
can use one of several machine types. Larger machine types provide more
throughput. You can view the estimated throughput and cost for each machine
type in the Google Cloud Console.
Every Serverless VPC Access connector automatically receives two network tags (sometimes called instance tags):
- Universal network tag:
vpc-connectorApplies to all existing connectors and any connectors made in the future
- Unique network tag:
vpc-connector-REGION-CONNECTOR_NAMEApplies to the connector CONNECTOR_NAME in REGION
These network tags cannot be deleted. New network tags cannot be added.
You can use Serverless VPC Access to access Compute Engine VM instances, Memorystore instances, and any other resources with internal DNS or internal IP address. Some examples are:
- You use Memorystore to store data for a serverless service.
- Your serverless workloads use third-party software that you run on a Compute Engine VM.
- You run a backend service on a Managed Instance Group in Compute Engine and need your serverless environment to communicate with this backend without exposure to the internet.
- Your serverless environment needs to access data from your on-premises database through Cloud VPN.
In this example, a Google Cloud project is running multiple services across the following serverless environments: App Engine, Cloud Functions, and Cloud Run.
A Serverless VPC Access connector was created and
assigned the IP range
10.8.0.0/28. Therefore, the source IP address for
any request sent from the connector is in this range.
There are two resources in the VPC network. One of the resources
has the internal IP address
10.0.0.4. The other resource has the internal IP
10.1.0.2, and is in a different region than the
Serverless VPC Access connector.
The connector handles sending and receiving both the requests and responses
directly from these internal IP addresses. When the connector sends requests to
the resource with internal IP address
egress costs apply because that resource is in a
All requests and responses between the serverless environments and the resources in the VPC network travel internally.
Requests sent to external IP addresses still travel through the internet and do not use the Serverless VPC Access connector.
The following diagram shows this configuration.
For Serverless VPC Access pricing, see Serverless VPC Access on the VPC pricing page.
The below table shows which types of networks you can reach using Serverless VPC Access:
|Connectivity service||Serverless VPC Access support|
|Networks connected to Cloud Interconnect|
|Networks connected to Cloud VPN|
|Networks connected to VPC Network Peering|
The below table shows which serverless environments support Serverless VPC Access:
|Serverless environment||Serverless VPC Access support|
|Cloud Run for Anthos*|
|App Engine standard environment||All runtimes except PHP 5|
|App Engine flexible environment*|
*If you want to use internal IP addresses when connecting from Cloud Run for Anthos or the App Engine flexible environment, you don't need to configure Serverless VPC Access. Just make sure your service is deployed in a VPC network that has connectivity to the resources you want to reach.
Supported networking protocols
The following table describes the networking protocols supported by Serverless VPC Access connectors.
|Protocol||Route only requests to private IPs through the VPC connector||Route all traffic through the VPC connector|
|ICMP||Supported only for external IP addresses|
Serverless VPC Access connectors are supported in every region that supports Cloud Run, Cloud Functions, or App Engine standard environment.
To view available regions:
gcloud compute networks vpc-access locations list
- To configure Serverless VPC Access, see Configuring Serverless VPC Access.