Serverless VPC Access Connectors
Serverless VPC Access makes it possible for you to connect directly to your Virtual Private Cloud network from serverless environments such as Cloud Run, App Engine, or Cloud Functions.
From v2.4 onwards, the DiscrimiNAT supports filtering traffic egressing from Serverless VPC Access Connectors.
The network tags on Firewall Rules that apply to Serverless VPC Access Connectors have preset names defined by Google Cloud Platform.
Serverless VPC Access network tags let you refer to VPC connectors in firewall rules and routes.
Every Serverless VPC Access connector automatically receives two network tags (sometimes called instance tags):
- Universal network tag:
vpc-connectorApplies to all existing connectors and any connectors made in the future
- Unique network tag:
vpc-connector-REGION-CONNECTOR_NAMEApplies to the connector
These network tags cannot be deleted. New network tags cannot be added.
- For a connector named
europe-west2region, the network tag applicable to just the traffic from this connector will be
- The network tag applicable to all connectors, regardless of name or region, will be
The egress settings of the serverless platform need to be configured to send all traffic through a connector rather than just the traffic to internal addresses. This is accomplished during the setup of the serverless workload, and in the following ways.
- Cloud Run
- Cloud Functions
- App Engine
Route all traffic through the VPC connectorwhen selecting a connector.
Route all traffic through the VPC connectorunder
Firewall Rules from NAT Ranges and Health Check Ranges, as described at ¹, must be created for the VPC Connectors.
Additionally, firewall rules to allow connections from serverless workloads to DiscrimiNAT instances would have to be created. If using Terraform, the variable
client_cidrs accepts a list of IP ranges for this. The subnets allocated for VPC Connectors should be added to this list.
The following permissions must be added to the Role meant to be granted to the service account for DiscrimiNAT instances, in order for it to be able to pick up the connector subnets:
If Serverless VPC Access Connectors are deployed in Service Projects of a Shared VPC , see the Shared VPC setup page and grant permissions as discussed in the Service Account page.