Configuring Shared VPC with connectors in host project

If your organization has set up Shared VPC, complete the following setup to enable serverless environments in Shared VPC service projects to connect to a Shared VPC network:

  1. An administrator of the Shared VPC host project must create a Serverless VPC Access connector within the host project and attach it to the Shared VPC network.
  2. The host project administrator must grant the following accounts the Serverless VPC Access User IAM role on the host project, as applicable:

    • Cloud Run: The service project's Cloud Run Service Agent (service-SERVICE_PROJECT_NUMBER@serverless-robot-prod.iam.gserviceaccount.com)
    • Cloud Functions: The service project's Cloud Functions Service Agent (service-SERVICE_PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com)
    • App Engine: The person or service account that performs App Engine deployments in the service project

    This IAM role allows serverless environments in service projects to use connectors from the host project.

    Console

    1. Go to the IAM page in the Shared VPC host project:

      Go to IAM

    2. Click Add.

    3. In the New members field, enter the email addresses of the appropriate accounts; see above.

    4. In the Role field, select Serverless VPC Access User.

    5. Click Save.

    gcloud

    Grant permissions on the Shared VPC host project with the following command:

    gcloud projects add-iam-policy-binding HOST_PROJECT_ID \
    --member MEMBER \
    --role roles/vpcaccess.user
    

    where HOST_PROJECT_ID is the ID of the Shared VPC host project, and MEMBER is the email address of the appropriate account; see above. Remember to prefix MEMBER with user: or serviceAccount: depending on the type of account.

    Repeat as necessary for multiple accounts.

After this setup is complete, the associated serverless environments in Shared VPC service projects will be able to specify the host project's connector in order to connect to the Shared VPC network using the platform-specific considerations.

Specifying the connector for different serverless platforms

Specify the connector for Cloud Run, App Engine, and Cloud Functions using the appropriate tab:

Cloud Run

When you deploy or update a Cloud Run (fully managed) service in your service project, you must specify the host project's connector using the fully-qualified name. For example:

gcloud run deploy SERVICE --image IMAGE_URL \
--vpc-connector projects/HOST_PROJECT_ID/locations/CONNECTOR_REGION/connectors/CONNECTOR_NAME

This connects your service to the Shared VPC network.

App Engine

For App Engine standard, specify the fully qualified connector name in the app.yaml file as described in the VPC connection page for your language, for example, using Python.

Functions

When you deploy a function in your service project, you must specify the host project's connector using the connector's fully-qualified name:

gcloud functions deploy FUNCTION_NAME \
--vpc-connector projects/HOST_PROJECT_ID/locations/CONNECTOR_REGION/connectors/CONNECTOR_NAME \
FLAGS...

This connects your function to the Shared VPC network.