Private networking and Cloud Run

This page discusses configuration options for including Cloud Run resources in your private network.

To get the most out of this content, you should have some familiarity with the following concepts:

• Basic networking
• Google Cloud Virtual Private Cloud (VPC) networks

To secure network traffic for their services and applications, many organizations use a private network on Google Cloud with perimeter controls to prevent data exfiltration. Your private network might have the following properties:

• You might have a number of resources, such as VMs, sitting on one or more VPC networks.
• These VMs might belong to many different projects, and they might be connected together with a Shared VPC.
• You might have on-premises workloads or workloads on other clouds connected to this environment using Cloud VPN or Cloud Interconnect.
• You might have enabled a VPC Service Controls perimeter to reduce the risk of data exfiltration.
• You might have multiple private networks, one for each of several different environments, such as one for production, one for staging, and one for development.

Unlike VMs, Cloud Run resources are not associated with any particular VPC network by default. This page explains how to incorporate Cloud Run resources into your private network.

Serverless networking narrative

To explore a range of common enterprise configurations for public and private networking, read our Serverless networking narrative.

This starting point introduces the following basic-to-advanced Cloud Run scenarios:

• Safely deploy a "Hello, World!" app that uses a custom domain
• Develop enterprise applications and microservices
• Access databases and file systems publicly or privately
• Connect with SaaS providers
• Apply security controls

See the list of corresponding Terraform modules.

Receive requests from your private network

Receiving requests from your private network requires configuration based on the following conditions:

• Where the request comes from.
• Whether the Cloud Run resource only allows requests from your private network.

For example, receiving requests from VPC networks might require different configuration than receiving requests from on-premises resources and other clouds.

Receive requests from other Cloud Run resources or App Engine

When your destination Cloud Run resource receives traffic from other Cloud Run resources or App Engine, and it uses the "internal" or "internal and load balancing" ingress setting, the traffic must use the VPC network to be considered internal.

To receive requests from other Cloud Run resources or App Engine, perform the following steps:

1. Configure the source resource to use either Direct VPC egress or a connector.

2. Make sure traffic to Cloud Run routes through the VPC network by using one of the following options:

   • Configure the source resource to send all traffic through the VPC network and enable Private Google Access on the subnet associated with Direct VPC egress or the connector.
   • Set up Private Service Connect or an internal Application Load Balancer to front your destination Cloud Run resource. With this configuration, you access Cloud Run by using internal IP addresses, so requests are routed through the VPC network.
   • Enable Private Google Access on the subnet associated with the source resource and configure DNS to resolve run.app URLs to the private.googleapis.com (199.36.153.8/30) or restricted.googleapis.com (199.36.153.4/30) ranges. Requests to these ranges are routed through the VPC network.

Receive requests from VPC networks

By default, only resources that have external IP addresses or use Cloud NAT can directly access the internet and Google Cloud services such as Pub/Sub and Cloud Run. For other resources, there are a few options to enable the traffic path to Cloud Run:

• The most direct path is to enable Private Google Access on the subnets that host your resources. When Private Google Access is enabled, resources on the subnets can access your Cloud Run resources at the default run.app URL. Traffic from your VPC network to Cloud Run stays in Google's network. In that case, the IP range for requests sent to the Cloud Run resource is 0.0.0.0/32. This means that in request log entries, the remoteIp attribute of the HttpRequest will be 0.0.0.0.
• If you need your Cloud Run resource (together with other Google APIs) to be accessible through an internal IP address in your VPC network, consider creating a Private Service Connect endpoint and