Skip to main content

Serverless VPC Access Connectors

Concepts

Serverless VPC Access makes it possible for you to connect directly to your Virtual Private Cloud network from serverless environments such as Cloud Run, App Engine, or Cloud Functions.

Source: https://cloud.google.com/vpc/docs/serverless-vpc-access

From v2.4 onwards, the discrimiNAT supports filtering traffic egressing from Serverless VPC Access Connectors.

Network tags

The network tags on Firewall Rules that apply to Serverless VPC Access Connectors have preset names defined by Google Cloud Platform.

Serverless VPC Access network tags let you refer to VPC connectors in firewall rules and routes.

Every Serverless VPC Access connector automatically receives two network tags (sometimes called instance tags):

  • Universal network tag: vpc-connector Applies to all existing connectors and any connectors made in the future
  • Unique network tag: vpc-connector-REGION-CONNECTOR_NAME Applies to the connector CONNECTOR_NAME in REGION

These network tags cannot be deleted. New network tags cannot be added.

Source: https://cloud.google.com/vpc/docs/serverless-vpc-access#network-tags

Examples

  1. For a connector named foo in europe-west2 region, the network tag applicable to just the traffic from this connector will be vpc-connector-europe-west2-foo.
  2. The network tag applicable to all connectors, regardless of name or region, will be vpc-connector.

Requirements

The egress settings of the serverless platform need to be configured to send all traffic through a connector rather than just the traffic to internal addresses. This is accomplished during the setup of the serverless workload, and in the following ways.

Choose Route all traffic through the VPC connector when selecting a connector.

Reference: https://cloud.google.com/run/docs/configuring/connecting-vpc#egress

Role

The following permissions must be added to the Role meant to be granted to the service account for discrimiNAT instances, in order for it to be able to pick up the connector subnets:

vpcaccess.connectors.list
compute.subnetworks.get
tip

If Serverless VPC Access Connectors are deployed in Service Projects of a Shared VPC , see the Shared VPC setup page and grant permissions as discussed in the Service Account page.