Cloud PartnersCloud Partners
AWSAWSGoogle CloudGoogle CloudMicrosoft AzureMicrosoft Azure
Professional ServicesProfessional Services
Cloud OptimizationCloud OptimizationCloud Adoption & MigrationCloud Adoption & MigrationInfrastructureInfrastructureApplicationApplicationData & AnalyticsData & Analytics
Managed ServicesManaged Services
Managed ServicesManaged ServicesDevOps-as-a-ServiceDevOps-as-a-ServiceCloud Partner SupportCloud Partner Support
InsightsInsights
Customer StoriesCustomer StoriesBespin BlogBespin BlogTech BlogTech BlogIn the NewsIn the NewsWebinarsWebinars
CompanyCompany
About BespinAbout BespinCultureCultureCareersCareers
OpsNowOpsNow
Contact Us
Cloud Partners
AWSGoogle CloudMicrosoft Azure
Professional Services
Cloud OptimizationCloud Adoption & MigrationInfrastructureApplicationData & Analytics
Managed Services
Managed ServicesDevOps-as-a-ServiceCloud Partner Support
Insights
Customer StoriesBespin BlogTech BlogIn the NewsWebinars
Company
About BespinCultureCareers
OpsNow
Contact Us

Source: G-gen Tech Blog

Understanding How to Enable Access from Cloud Run Functions to Resources Protected by VPC Service Controls


This blog explores how to configure Cloud Run functions to access resources within a Google Cloud project safeguarded by VPC Service Controls. We'll also examine the settings that determine whether access succeeds or fails.

What are VPC Service Controls?

VPC Service Controls is a security service provided by Google Cloud that creates a logical "service perimeter" to restrict API requests crossing its boundaries. 

How to Configure Cloud Run Functions for Secure Access to Resources Protected by VPC Service Controls

This article assumes familiarity with VPC Service Controls' basic configuration, such as Ingress rules. Below, we discuss the critical setup required for enabling access from Cloud Run functions to resources protected by VPC Service Controls and provide a comprehensive validation of various configuration patterns.

Understanding Cloud Run Functions

Cloud Run functions, part of Google Cloud’s serverless offerings, enable you to run applications without the need to build or manage infrastructure.

Key Takeaways

When using VPC Service Controls' Ingress rules to specify a source project, Cloud Run functions must send requests via the VPC.

Access Validation

We conducted validation using the following setup:

  • A Google Cloud project protected by VPC Service Controls
  • A BigQuery table and a Cloud Run function within the project
  • The Cloud Run function is associated with Service Account A
  • The function attempts to access the BigQuery table

We adjusted VPC Service Controls and Cloud Run settings to examine various configurations and their impact on access success or failure.

Why VPC Routing is Necessary

By default, VPC Service Controls block access that crosses the service perimeter. Ingress rules can create exceptions, allowing specific IDs (e.g., Google or Service Accounts) from designated source projects to access resources. However, Cloud Run functions fail to access resources even when such configurations appear correct.

The Underlying Cause

Although not explicitly stated in Google Cloud documentation, the underlying infrastructure for Cloud Run functions operates outside the user-managed Google Cloud project. Thus, for the request to originate from within the intended project, the Cloud Run function must be connected to the VPC.

Google Cloud documentation confirms this requirement:
Using VPC Service Controls with Functions Outside the Perimeter

Configuring "VPC Accessible Services"

When Cloud Run functions access resources through the VPC, it's essential to configure VPC Accessible Services correctly. This setting controls which services within the perimeter the VPC can access. If the target service isn't explicitly permitted, access will fail, even when routed through the VPC.

Example Scenarios:

  • Failed Request: A request from within the VPC fails if the BigQuery API isn't included in "VPC Accessible Services."
  • Successful Request: A request from outside the VPC succeeds if the BigQuery API isn't protected by the service perimeter.

For detailed guidance, refer to:
VPC Accessible Services Documentation

By adhering to these configurations, you can enable secure and reliable access to resources protected by VPC Service Controls while leveraging the flexibility of Cloud Run functions.

About the author

Ryuuki Dohara- Ryuuki Dohara is part of the Cloud Solutions Department's Data Analytics Team and joined G-gen in April 2023. Recognized as a Google Cloud Partner Top Engineer in both 2023 and 2024 (and awarded Rookie of the Year in 2024), Ryuuki is passionate about solving complex cloud challenges. Outside of work, you’ll often find him gaming or occasionally taking long bike rides on his days off.

This content was originally created by our partner in Japan, G-gen, a trusted Google Cloud Premier Partner. It has been translated and shared on our website with their permission. G-gen retains full ownership of this content.