Restrict network endpoint ingress for Cloud Run services

This page describes how to use ingress settings to restrict network access toyour Cloud Run service.

At a network level, a Cloud Run service's endpoint is reachablefrom the following network ingress paths:

  • Defaultrun.app URLs, which you candisable
  • Any configureddomain mapping
  • Any configured External Application Load Balancer or Internal Application Load Balancer

All network ingress paths are subject to the service'singress setting.The default ingress paths and ingress setting allow any resource on the internetto reach your Cloud Run service. You canuse a custom constraintto restrict ingress settings for your organization or for a set of projects.IAM authentication stillapplies to requests reaching the service endpoints from any of the preceding networkingress paths.For a layered approach to managing access, use both network ingress settings andIAM authentication.

Use network tags torestrict connector VM access to VPC resources.

Available network ingress settings

The following settings are available:

SettingDescription
Internal Most restrictive. Allows requests from the following sources:
  • Internal Application Load Balancer, including requests from Shared VPC networks when routed through the internal Application Load Balancer.
  • Resources allowed by any VPC Service Controls perimeter that contains your Cloud Run service. Cloud Run must be configured as a restricted service.
  • VPC networks that are in the same project as your Cloud Run service.
  • Shared VPC ingress: the Shared VPC network that your revision is configured to send traffic to. For information about when Shared VPC traffic is recognized as "internal", seeSpecial considerations for Shared VPC.
  • The following Google Cloud products, if they're in the same project or VPC Service Controls perimeter as your Cloud Run service and if they're using the defaultrun.app URL and not a custom domain:
Requests from these sources stay within the Google network, even if they access your service at therun.app URL. Requests from other sources, including the internet, cannot reach your service at therun.app URL or custom domains.

Internal and Cloud Load BalancingThis setting allows requests from the following resources:
  • Resources allowed by the more restrictive "internal" setting
  • External Application Load Balancer
Use this setting to do the following:
  • Accept requests from the internet through the external Application Load Balancer. Direct requests to therun.app URL from the internet are not allowed.
  • Ensure that requests from the internet are subject to external Application Load Balancer features, such asIdentity-Aware Proxy,Google Cloud Armor, andCloud CDN.

Note: To enable this setting in the gcloud CLI, useinternal-and-cloud-load-balancing. To enable this setting in the Google Cloud console, selectInternal > Allow traffic from external Application Load Balancers.
All Least restrictive. Allows all requests, including requests directly from the internet to therun.app URL.

Access internal services

The following additional considerations apply:

  • When accessing internal services, call them as you would normally do usingtheir URL, either the defaultrun.app URL or acustom domain set up in Cloud Run.

  • For requests from Compute Engine VM instances, no further setup is requiredfor machines that have external IP addresses or that use Cloud NAT. Otherwise,seeReceive requests from VPC networks.

  • When calling from Cloud Run or App Engineto a Cloud Run service that's set to "Internal" or"Internal and Cloud Load Balancing", traffic must route through a VPCnetwork that's considered internal. SeeReceive requests from other Cloud Run services or App Engine.

  • Requests from resources within VPC networks in the same projectare "internal" even if the resource that they originate from has an external IPaddress.

  • Requests from on-premises resources connected to the VPC network using Cloud VPNand Cloud Interconnect are "internal."

Set ingress for Cloud Run services

You can set ingress by using the Google Cloud console, Google Cloud CLI, YAML, orTerraform.

Console

  1. In the Google Cloud console, go to the Cloud RunServices page:

    Go to Cloud Run

  2. If you are configuring a new service, clickDeploy container to displaytheCreate service form. Fill out the initial service settings page.

  3. If you are configuring an existing service, click the service, and thenclick theNetworking tab.

  4. Select theingress traffic you want to allow:

    image

  5. ClickCreate orSave.

gcloud

  1. If you are deploying a new service, deploy your service with the--ingress flag:

    gcloudrundeploySERVICE--imageIMAGE_URL--ingressINGRESS

    Replace the following:

    • INGRESS: one of theavailable ingress settings:
      • all
      • internal
      • internal-and-cloud-load-balancing
    • SERVICE: your service name
    • IMAGE_URL: a reference to the container image, forexample,us-docker.pkg.dev/cloudrun/container/hello:latest. If you use Artifact Registry,therepositoryREPO_NAME mustalready be created. The URL follows the format ofLOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG.

  2. If you are changing an existing service ingress:

    gcloudrunservicesupdateSERVICE--ingressINGRESS

    Replace the following:

YAML

  1. If you are creating a new service, skip this step.If you are updating an existing service, download itsYAML configuration:

    gcloudrunservicesdescribeSERVICE--formatexport>service.yaml

  2. Update therun.googleapis.com/ingress: annotation:

    apiVersion:serving.knative.dev/v1kind:Servicemetadata:annotations:run.googleapis.com/ingress:INGRESSname:SERVICEspec:template:metadata:name:REVISION

    Replace the following:

    • SERVICE: the name of your Cloud Run
    • INGRESS: one of theavailable ingress settings:
      • all
      • internal
      • internal-and-cloud-load-balancing
    • REVISION with a new revision name or delete it (if present). If you supply a new revision name, itmust meet the following criteria:
      • Starts withSERVICE-
      • Contains only lowercase letters, numbers and-
      • Does not end with a-
      • Does not exceed 63 characters

  3. Replace the service with its new configuration using the following command:

    gcloudrunservicesreplaceservice.yaml

Terraform

To learn how to apply or remove a Terraform configuration, seeBasic Terraform commands.

Add the following to agoogle_cloud_run_v2_service resource in your Terraform configuration:

resource"google_cloud_run_v2_service""default"{provider=google-betaname="ingress-service"location="us-central1"deletion_protection=false # set to "true" in production  # For valid annotation values and descriptions, see  # https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_v2_service#ingressingress="INGRESS_TRAFFIC_INTERNAL_ONLY"template{containers{image="us-docker.pkg.dev/cloudrun/container/hello" #public image for your service}}}
Note: Administrators can restrict the ingress settings that developerscan select by setting therun.allowedIngress organization policy.

Disable the default URL

Disable the defaultrun.app URLs of a Cloud Runservice to only allow traffic from the service's other ingress paths:Cloud Load Balancing and any configureddomain mapping.

To disable the default URL, perform the following steps by using the Google Cloud console,Google Cloud CLI, YAML, or Terraform.

Console

  1. In the Google Cloud console, go to the Cloud RunServices page:

    Go to Cloud Run

  2. Click an existing service.

  3. Select theNetworking tab.

  4. In theEndpoints card, clearEnable underDefault HTTPS endpoint URL.

  5. ClickSave.

To restore the default URL, selectEnable and clickSave.

gcloud

  • For an existing service, run thegcloud run services update command withthe--no-default-url flag, for example:

    gcloudrunservicesupdateSERVICE_NAME--no-default-url

  • For a new service, run thegcloud run deploy command with the--no-default-url flag, for example:

    gcloudrundeploySERVICE_NAME--no-default-url

    whereSERVICE_NAME is the name of your Cloud Runservice.

    In the output, the URL displays asNone.

To restore the default URL, use the--default-url flag.

YAML

  1. If you are creating a new service, skip this step.If you are updating an existing service, download itsYAML configuration:

    gcloudrunservicesdescribeSERVICE--formatexport>service.yaml

  2. To disable therun.app URL, use therun.googleapis.com/default-url-disabledannotation:

    apiVersion:serving.knative.dev/v1kind:Servicemetadata:annotations:run.googleapis.com/default-url-disabled:truename:SERVICEspec:template:metadata:name:REVISION

    Replace the following:

    • SERVICE with the name of your Cloud Run service.
    • REVISION with a new revision name or delete it (if present). If you supply a new revision name, itmust meet the following criteria:
      • Starts withSERVICE-
      • Contains only lowercase letters, numbers and-
      • Does not end with a-
      • Does not exceed 63 characters

  3. Create or update the service using the following command:

    gcloudrunservicesreplaceservice.yaml

To restore the default URL, remove therun.googleapis.com/default-url-disabledannotation.

Terraform

To learn how to apply or remove a Terraform configuration, seeBasic Terraform commands.

Add the following to agoogle_cloud_run_v2_service resource in your Terraform configuration:
resource"google_cloud_run_v2_service""disable_default_url_service"{name="cloudrun-service"location="europe-west1"default_uri_disabled=truetemplate{containers{image="us-docker.pkg.dev/cloudrun/container/hello"}annotations={"run.googleapis.com/ingress"="all"   # "all" or "internal-only"}}}

Verify that thelaunch_stage anddefault_uri_disabled lines are inyourmain.tf file. The precedinggoogle_cloud_run_v2_service resourcespecifies a Cloud Run service with the default URL disabled inPreview.

To restore the default URL, remove thedefault_uri_disabled andlaunch_stage arguments.

The following Google Cloud services are using the defaultrun.app URLto invoke Cloud Run. Disabling the defaultrun.app URL preventsthese services from working as expected:

Note: To use custom domain mappings,map the custom domain before you disable therun.app URL.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.