# Serverless VPC Access Connectors

> >Serverless VPC Access makes it possible for you to connect directly to your Virtual Private Cloud network from serverless environments such as Cloud Run, App Engine, or Cloud Functions.

## Concepts

>Serverless VPC Access makes it possible for you to connect directly to your Virtual Private Cloud network from serverless environments such as Cloud Run, App Engine, or Cloud Functions.

Source: https://docs.cloud.google.com/vpc/docs/serverless-vpc-access

**From v2.4** onwards, the DiscrimiNAT supports filtering traffic egressing from Serverless VPC Access Connectors.

## Network tags

The network tags on Firewall Rules that apply to Serverless VPC Access Connectors have preset names defined by Google Cloud Platform.

>Serverless VPC Access network tags let you refer to VPC connectors in firewall rules and routes.
>
>Every Serverless VPC Access connector automatically receives two network tags (sometimes called instance tags):
> * Universal network tag: `vpc-connector` Applies to all existing connectors and any connectors made in the future
> * Unique network tag: `vpc-connector-REGION-CONNECTOR_NAME` Applies to the connector `CONNECTOR_NAME` in `REGION`
>
>These network tags cannot be deleted. New network tags cannot be added.

Source: https://docs.cloud.google.com/vpc/docs/serverless-vpc-access#network-tags

### Examples

1. For a connector named `foo` in `europe-west2` region, the network tag applicable to just the traffic from this connector will be `vpc-connector-europe-west2-foo`.
2. The network tag applicable to all connectors, regardless of name or region, will be `vpc-connector`.

## Requirements

### Serverless

The egress settings of the serverless platform need to be configured to send all traffic through a connector rather than just the traffic to internal addresses. This is accomplished during the setup of the serverless workload, and in the following ways.

<Tabs>
  <TabItem value="cloud_run" label="Cloud Run" default>
Choose <code>Route all traffic through the VPC connector</code> when selecting a connector.

    

Reference: https://docs.cloud.google.com/run/docs/configuring/connecting-vpc#connectors
  </TabItem>
  <TabItem value="cloud_functions" label="Cloud Functions">
Choose <code>Route all traffic through the VPC connector</code> under <code>Egress settings</code>.

    

Reference: https://docs.cloud.google.com/run/docs/configuring/networking-best-practices#direct-vpc-throughput
  </TabItem>
  <TabItem value="app_engine" label="App Engine">
Set the <code>egress_settings</code> property to <code>all-traffic</code>.

<CodeBlock>
vpc_access_connector:{'\n'}
&nbsp;&nbsp;name: projects/PROJECT_ID/locations/REGION/connectors/CONNECTOR_NAME{'\n'}
&nbsp;&nbsp;egress_setting: all-traffic
</CodeBlock>

Reference: https://docs.cloud.google.com/appengine/docs/standard/connecting-vpc#egress
  </TabItem>
</Tabs>

### Firewall Rules

Firewall Rules from NAT Ranges and Health Check Ranges, as described at ¹, must be created for the VPC Connectors.

Additionally, firewall rules to allow connections from serverless workloads to DiscrimiNAT instances would have to be created. If using Terraform, the variable `client_cidrs` accepts a list of IP ranges for this. The subnets allocated for VPC Connectors should be added to this list.

¹ https://docs.cloud.google.com/vpc/docs/configure-serverless-vpc-access#restrict-access

## Role

The following permissions must be added to the Role meant to be granted to the service account for DiscrimiNAT instances, in order for it to be able to pick up the connector subnets:

```plaintext
vpcaccess.connectors.list
compute.subnetworks.get
```

:::tip
If Serverless VPC Access Connectors are deployed in Service Projects of a Shared VPC , see the [Shared VPC setup](../shared-vpc/) page and grant permissions as discussed in the [Service Account](../service-account/) page.
:::