Migrate Shared VPC connector to Direct VPC egress

This page is for networking specialists who want to migrate Shared VPCnetwork traffic from usingServerless VPC Access connectorsto usingDirect VPC egresswhen sending traffic to a Shared VPC network.

Direct VPC egress is faster and can handle more traffic than connectors,delivering lower latency and higher throughput because it uses a new, directnetwork path instead of connector instances.

Before migration, we recommend that you familiarize yourself with Direct VPCegressprerequisites,limitations,IP address allocation,andIAM permissions.

Migrate services to Direct VPC egress

Important: Connectors continue to incur charges even if they have no trafficand are disconnected. For details, seepricing.If you no longer need your connector, be sure todeleteit to avoid continued billing.

Migrate services to Direct VPC egress gradually

When you migrate Cloud Run services from Serverless VPC Accessconnectors to Direct VPC egress, we recommend that you do so in a gradualtransition.

To transition gradually:

  1. Follow the instructions in this guide to update your service or job touse Direct VPC egress.
  2. Split a small percentage of trafficto test that the traffic works correctly.
  3. Update the traffic split to send all traffic to the new revision usingDirect VPC egress.

To migrate traffic with Direct VPC egress for a service, use theGoogle Cloud console or Google Cloud CLI:

Console

  1. In the Google Cloud console, go to the Cloud RunServices page:

    Go to Cloud Run

  2. Click the service that you want to migrate from a connector to DirectVPC egress, then clickEdit and deploy new revision.

  3. Click theNetworking tab.

  4. FromConnect to a VPC for outbound traffic, clickSend traffic directly to a VPC.

  5. SelectNetworks shared with me.

  6. In theNetwork field, select the Shared VPCnetwork that you want to send traffic to.

  7. In theSubnet field, select the subnet where your service receives IPaddresses from. You can deploy multiple services on the same subnet.

  8. Optional: Enter the names of thenetwork tagsthat you want to associate with your service or services. Network tags arespecified at the revision-level. Each service revision can have differentnetwork tags, such asnetwork-tag-2.

  9. ForTraffic routing, select one of the following:

    • Route only requests to private IPs to the VPC to send onlytraffic to internal addresses through the Shared VPC network.
    • Route all traffic to the VPC to send all outbound trafficthrough the Shared VPC network.

  10. ClickDeploy.

  11. To verify that your service is on your Shared VPC network, clickthe service, then click theNetworking tab. The network and subnetare listed in theVPC card.

    You can now send requests directly from your Cloud Run service toany resource on the Shared VPC network, as allowed by yourfirewall rules.

gcloud

To migrate a Cloud Run service from a connector to Direct VPCegress using the Google Cloud CLI:

  1. Update your service on the shared subnet by specifying the fully qualifiedresource names for the Shared VPC network and subnet using thefollowing command:

    gcloudbetarunservicesupdateSERVICE_NAME\--clear-network\--networkprojects/HOST_PROJECT_ID/global/networks/VPC_NETWORK\--subnetprojects/HOST_PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME\--network-tagsNETWORK_TAG_NAMES\--vpc-egress=EGRESS_SETTING\--regionREGION\--max-instancesMAX

    Replace the following:

    • SERVICE_NAME: the name of your Cloud Runservice.
    • IMAGE_URL: the image URL of the service.
    • HOST_PROJECT_ID: the ID of your Shared VPC project.
    • VPC_NETWORK: the name of your Shared VPC network.
    • REGION: the region for your Cloud Run service,which must match the region of your subnet.
    • SUBNET_NAME: the name of your subnet.
    • Optional:NETWORK_TAG_NAMES with the comma-separated names ofthenetwork tags youwant to associate with a service. For services, network tags are specifiedat the revision-level. Each service revision can have different networktags, such asnetwork-tag-2.
    • EGRESS_SETTING with anegress setting value:
      • all-traffic: Sends all outbound traffic through the Shared VPCnetwork.
      • private-ranges-only: Sends only traffic to internal addressesthrough the Shared VPC network.
    • MAX: the maximum number of instances to use for theShared VPC network. The maximum number of instances allowed forservices is 100.

    For more details and optional arguments, see thegcloud reference.

  2. To verify that your service is on your Shared VPC network, runthe following command:

    gcloudbetarunservicesdescribeSERVICE_NAME\--region=REGION

    Replace:

    • SERVICE_NAME with the name of your service.
    • REGION with the region for your service that youspecified in the previous step.

    The output should contain the name of your network, subnet, and egresssetting, for example:

    VPC access:  Network:       default  Subnet:        subnet  Egress:        private-ranges-only

You can now send requests from your Cloud Run service to anyresource on the Shared VPC network, as allowed by your firewallrules.

Migrate jobs to Direct VPC egress

Important: Connectors continue to incur charges even if they have no trafficand are disconnected. For details, seepricing.If you no longer need your connector, be sure todeleteit to avoid continued billing.

You can migrate traffic with Direct VPC egress for a job by using theGoogle Cloud console or Google Cloud CLI.

Console

  1. In the Google Cloud console, go to the Cloud RunJobs page:

    Go to Cloud Run

  2. Click the job that you want to migrate from a connector to DirectVPC egress, then clickEdit.

  3. Click theNetworking tab.

  4. ClickContainer, Variables & Secrets, Connections, Security toexpand the job properties page.

  5. Click theConnections tab.

  6. FromConnect to a VPC for outbound traffic, clickSend traffic directly to a VPC.

  7. SelectNetworks shared with me.

  8. In theNetwork field, select the Shared VPCnetwork that you want to send traffic to.

  9. In theSubnet field, select the subnet where your job receives IPaddresses from. You can deploy multiple jobs on the same subnet.

  10. Optional: Enter the names of thenetwork tagsthat you want to associate with a job. For jobs, network tags are specifiedat the execution-level. Each job execution can have different networktags, such asnetwork-tag-2.

  11. ForTraffic routing, select one of the following:

    • Route only requests to private IPs to the VPC to send onlytraffic to internal addresses through the Shared VPC network.
    • Route all traffic to the VPC to send all outbound trafficthrough the Shared VPC network.

  12. ClickUpdate.

  13. To verify that your job is on your Shared VPC network, clickthe job, then click theConfiguration tab. The network and subnet arelisted in theVPC card.

You can now execute your Cloud Run job and send requests from thejob to any resource on the Shared VPC network, as allowed by yourfirewall rules.

gcloud

To migrate a Cloud Run job from a connector to Direct VPCegress using the Google Cloud CLI:

  1. Disconnect your job from the Shared VPC network by running thegcloud run jobs updatecommand with the following flag:

    gcloudrunjobsupdateJOB_NAME--region=REGION\--clear-network

    Replace the following:

    • JOB_NAME: the name of your Cloud Runjob.
    • REGION: the region for your Cloud Run job.

  2. Update your job on the shared subnet by specifying the fully qualifiedresource names for the Shared VPC network and subnet using thefollowing command:

    gcloudbetarunjobscreateJOB_NAME\--clear-network\--imageIMAGE_URL\--networkprojects/HOST_PROJECT_ID/global/networks/VPC_NETWORK\--subnetprojects/HOST_PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME\--network-tagsNETWORK_TAG_NAMES\--vpc-egress=EGRESS_SETTING\--regionREGION\--max-instancesMAX

    Replace the following:

    • JOB_NAME: the name of your Cloud Runjob.
    • IMAGE_URL: the image URL of the job.
    • HOST_PROJECT_ID: the ID of your Shared VPC project.
    • VPC_NETWORK: the name of your Shared VPC network.
    • REGION: the region for your Cloud Run job,which must match the region of your subnet.
    • SUBNET_NAME: the name of your subnet.
    • Optional:NETWORK_TAG_NAMES with the comma-separated names ofthenetwork tags youwant to associate with a job. Each job execution can have differentnetwork tags, such asnetwork-tag-2.
    • EGRESS_SETTING with anegress setting value:
      • all-traffic: Sends all outbound traffic through the Shared VPCnetwork.
      • private-ranges-only: Sends only traffic to internal addressesthrough the Shared VPC network.

    For more details and optional arguments, see thegcloud reference.

  3. To verify that your job is on your Shared VPC network, runthe following command:

    gcloudbetarunjobsdescribeJOB_NAME\--region=REGION

    Replace:

    • JOB_NAME with the name of your job.
    • REGION with the region for your job that youspecified in the previous step.

    The output should contain the name of your network, subnet, and egresssetting, for example:

    VPC access:  Network:       default  Subnet:        subnet  Egress:        private-ranges-only

You can now send requests from your Cloud Run job to anyresource on the Shared VPC network, as allowed by your firewallrules.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.