Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to send egress (outbound) traffic from a Cloud Run
service or job to a Shared VPC network, allowing
access to Compute Engine VM instances, Memorystore instances, and any
other resources with an internal IP address.
Connecting to a Shared VPC network can be configured in different ways:
Direct VPC egress
You can use Direct VPC egress to send traffic to a Shared VPC network
without the need for Serverless VPC Access connectors. To set up egress
(outbound) traffic without a connector, see
Direct VPC egress with a Shared VPC network.
Serverless VPC Access connectors
If you need to use Serverless VPC Access connectors, you can set them
up in Shared VPC service projects that have
Cloud Run resources needing access to your network, or you can
set up shared connectors in the Shared VPC host project. There are
advantages to each method.
Service projects
Advantages of creating connectors in the Shared VPC service projects:
Isolation: Each connector has dedicated bandwidth and is unaffected by
bandwidth use of connectors in other service projects. This is good if you
have a service that experiences spikes in traffic or if you need to ensure
that each service project is unaffected by connector use of other service
projects.
Chargebacks: Charges incurred by connectors are associated with the
service project containing the connector. This enables easier chargebacks.
Security: Allows you to follow the "principle of least privilege."
Connectors must be granted access to the resources in your Shared VPC
network that they need to reach. By creating a connector in the service
project, you can limit what the services in the project can access by using
firewall rules.
Team independence: Reduces dependency on the host project administrator.
Teams can create and manage the connectors associated with their service
project. A user with the Compute Engine
Security Admin role or a
custom Identity and Access Management (IAM) role with the
compute.firewalls.create
permission enabled for the host project must still manage firewall rules for
the connector.
Advantages of creating connectors in the Shared VPC host project:
Centralized network management: Aligns with the Shared VPC model
of centralizing network configuration resources in the host project.
IP address space: Preserves more of your IP address space. Connectors
require an IP address for each instance, so having fewer connectors, and
fewer instances in each connector, uses fewer IP addresses. This is good if
you are concerned about running out of IP addresses.
Maintenance: Reduces maintenance because each connector you create can
be used by multiple service projects. This is good if you are concerned
about maintenance overhead.
Cost for idle time: Can reduce the amount of connector idle time and
associated cost. Connectors incur costs even when they are not serving
traffic (see pricing). Having fewer
connectors can reduce the amount of resources you pay for when not serving
traffic, depending on your connector type and number of instances. This is
often cost-effective if your use case involves a large number of services
and the services are used infrequently.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[],[],null,["# Connect to a Shared VPC network\n\nThis page describes how to send egress (outbound) traffic from a Cloud Run\nservice or job to a [Shared VPC](/vpc/docs/shared-vpc) network, allowing\naccess to Compute Engine VM instances, Memorystore instances, and any\nother resources with an internal IP address.\n\nIf your organization does not use Shared VPC, see\n[Send traffic to a standard VPC network](/run/docs/configuring/connecting-vpc).\n\nComparison of configuration methods\n-----------------------------------\n\nConnecting to a Shared VPC network can be configured in different ways:\n\n#### Direct VPC egress\n\nYou can use Direct VPC egress to send traffic to a Shared VPC network\nwithout the need for Serverless VPC Access connectors. To set up egress\n(outbound) traffic without a connector, see\n[Direct VPC egress with a Shared VPC network](/run/docs/configuring/shared-vpc-direct-vpc).\n\n#### Serverless VPC Access connectors\n\nIf you need to use Serverless VPC Access connectors, you can set them\nup in [Shared VPC](/vpc/docs/shared-vpc) service projects that have\nCloud Run resources needing access to your network, or you can\nset up shared connectors in the Shared VPC host project. There are\nadvantages to each method. \n\n### Service projects\n\nAdvantages of creating connectors in the Shared VPC service projects:\n\n- **Isolation:** Each connector has dedicated bandwidth and is unaffected by bandwidth use of connectors in other service projects. This is good if you have a service that experiences spikes in traffic or if you need to ensure that each service project is unaffected by connector use of other service projects.\n- **Chargebacks:** Charges incurred by connectors are associated with the service project containing the connector. This enables easier chargebacks.\n- **Security:** Allows you to follow the \"principle of least privilege.\" Connectors must be granted access to the resources in your Shared VPC network that they need to reach. By creating a connector in the service project, you can limit what the services in the project can access by using firewall rules.\n- **Team independence:** Reduces dependency on the host project administrator. Teams can create and manage the connectors associated with their service project. A user with the Compute Engine [Security Admin](/compute/docs/access/iam#compute.securityAdmin) role or a custom [Identity and Access Management (IAM)](/iam) role with the [`compute.firewalls.create`](/compute/docs/reference/rest/v1/firewalls/insert#iam-permissions) permission enabled for the host project must still manage firewall rules for the connector.\n\nTo set up connectors in service projects, see\n[Configure connectors in service projects](/run/docs/configuring/shared-vpc-service-projects).\n\n### Host project\n\nAdvantages of creating connectors in the Shared VPC host project:\n\n- **Centralized network management:** Aligns with the Shared VPC model of centralizing network configuration resources in the host project.\n- **IP address space:** Preserves more of your IP address space. Connectors require an IP address for each instance, so having fewer connectors, and fewer instances in each connector, uses fewer IP addresses. This is good if you are concerned about running out of IP addresses.\n- **Maintenance:** Reduces maintenance because each connector you create can be used by multiple service projects. This is good if you are concerned about maintenance overhead.\n- **Cost for idle time:** Can reduce the amount of connector idle time and associated cost. Connectors incur costs even when they are not serving traffic (see [pricing](/vpc/pricing#serverless-vpc-pricing)). Having fewer connectors can reduce the amount of resources you pay for when not serving traffic, depending on your connector type and number of instances. This is often cost-effective if your use case involves a large number of services and the services are used infrequently.\n\nTo set up connectors in the host project, see\n[Configure connectors in the host project](/run/docs/configuring/shared-vpc-host-project).\n| **Tip:** For a side-by-side comparison, see [Compare Direct VPC egress and VPC connectors](/run/docs/configuring/connecting-vpc)."]]
