- An administrator of the Shared VPC host project must create a Serverless VPC Access connector within the host project and attach it to the Shared VPC network.
The host project administrator must grant the following accounts the Serverless VPC Access User IAM role on the host project, as applicable:
- Cloud Run: The service project's Cloud Run
- Cloud Functions: The service project's
Cloud Functions Service Agent
- App Engine: The person or service account that performs App Engine deployments in the service project
This IAM role allows serverless environments in service projects to use connectors from the host project.
Go to the IAM page in the Shared VPC host project:
In the New members field, enter the email addresses of the appropriate accounts; see above.
In the Role field, select Serverless VPC Access User.
Grant permissions on the Shared VPC host project with the following command:
gcloud projects add-iam-policy-binding HOST_PROJECT_ID \ --member MEMBER \ --role roles/vpcaccess.user
HOST_PROJECT_IDis the ID of the Shared VPC host project, and
MEMBERis the email address of the appropriate account; see above. Remember to prefix
serviceAccount:depending on the type of account.
Repeat as necessary for multiple accounts.
- Cloud Run: The service project's Cloud Run Service Agent (
After this setup is complete, the associated serverless environments in Shared VPC service projects will be able to specify the host project's connector in order to connect to the Shared VPC network using the platform-specific considerations.
Specifying the connector for different serverless platforms
Specify the connector for Cloud Run, App Engine, and Cloud Functions using the appropriate tab:
When you deploy or update a Cloud Run (fully managed) service in your service project, you must specify the host project's connector using the fully-qualified name. For example:
gcloud run deploy SERVICE --image IMAGE_URL \ --vpc-connector projects/HOST_PROJECT_ID/locations/CONNECTOR_REGION/connectors/CONNECTOR_NAME
This connects your service to the Shared VPC network.
For App Engine standard, specify the fully qualified connector name in the
app.yaml file as described in the VPC connection page for your language,
for example, using Python.
When you deploy a function in your service project, you must specify the host project's connector using the connector's fully-qualified name:
gcloud functions deploy FUNCTION_NAME \ --vpc-connector projects/HOST_PROJECT_ID/locations/CONNECTOR_REGION/connectors/CONNECTOR_NAME \ FLAGS...
This connects your function to the Shared VPC network.