Connect to a Shared VPC network

This page describes how to send egress (outbound) traffic from a Cloud Run service or job to a Shared VPC network, allowing access to Compute Engine VM instances, Memorystore instances, and any other resources with an internal IP address.

If your organization does not use Shared VPC, see Send traffic to a standard VPC network.

Comparison of configuration methods

Connecting to a Shared VPC network can be configured in different ways:

Direct VPC egress

You can use Direct VPC egress to send traffic to a Shared VPC network without the need for Serverless VPC Access connectors. To set up egress (outbound) traffic without a connector, see Direct VPC egress with a Shared VPC network.

Serverless VPC Access connectors

If you need to use Serverless VPC Access connectors, you can set them up in Shared VPC service projects that have Cloud Run resources needing access to your network, or you can set up shared connectors in the Shared VPC host project. There are advantages to each method.

Service projects

Advantages of creating connectors in the Shared VPC service projects:

  • Isolation: Each connector has dedicated bandwidth and is unaffected by bandwidth use of connectors in other service projects. This is good if you have a service that experiences spikes in traffic or if you need to ensure that each service project is unaffected by connector use of other service projects.
  • Chargebacks: Charges incurred by connectors are associated with the service project containing the connector. This enables easier chargebacks.
  • Security: Allows you to follow the "principle of least privilege." Connectors must be granted access to the resources in your Shared VPC network that they need to reach. By creating a connector in the service project, you can limit what the services in the project can access by using firewall rules.
  • Team independence: Reduces dependency on the host project administrator. Teams can create and manage the connectors associated with their service project. A user with the Compute Engine Security Admin role or a custom Identity and Access Management (IAM) role with the compute.firewalls.create permission enabled for the host project must still manage firewall rules for the connector.

To set up connectors in service projects, see Configure connectors in service projects.

Host project

Advantages of creating connectors in the Shared VPC host project:

  • Centralized network management: Aligns with the Shared VPC model of centralizing network configuration resources in the host project.
  • IP address space: Preserves more of your IP address space. Connectors require an IP address for each instance, so having fewer connectors, and fewer instances in each connector, uses fewer IP addresses. This is good if you are concerned about running out of IP addresses.
  • Maintenance: Reduces maintenance because each connector you create can be used by multiple service projects. This is good if you are concerned about maintenance overhead.
  • Cost for idle time: Can reduce the amount of connector idle time and associated cost. Connectors incur costs even when they are not serving traffic (see pricing). Having fewer connectors can reduce the amount of resources you pay for when not serving traffic, depending on your connector type and number of instances. This is often cost-effective if your use case involves a large number of services and the services are used infrequently.

To set up connectors in the host project, see Configure connectors in the host project.