VPC Service Controls is a Google Cloud featurethat lets you set up a secure perimeter to guard against data exfiltration.Both the defaultrun.app URL and custom domains are subject to VPC Service Controls.This guide shows how to use VPC Service Controls with Cloud Run to addadditional security to your services.

Limitations and advisories

• For Artifact Registry or Container Registry:

  • The registry where you store your container must be in the same VPC Service Controlsservice perimeter as the project you're deploying to.
  • The code being built must be in the same perimeter as the registry that thecontainer is being pushed to.

• Thecontinuous deploymentfeature is not available for projects inside a VPC Service Controlsperimeter.

• When Cloud Run services are invoked, VPC Service Controlspolicy enforcement does not use the client's IAM authenticationinformation. Such requests have the following limitations:

  • VPC Service Controls ingress policy rules that use IAMprincipals are not supported.
  • Access levels for VPC Service Controls perimeters that use IAMprincipals are not supported.

Set up your organization to support VPC Service Controls

To use VPC Service Controls with Cloud Run, you can configurea service perimeter at the organization level. By configuring appropriateorganization policies, you can make sure that VPC Service Controlschecks are enforced when using Cloud Run and that developers canonly deploy services compliant with VPC Service Controls. Learn more aboutinheritanceandviolationswhen setting an organization policy.

If you are deploying Cloud Run functions withgcloud functions, youor your administrator must grant the Cloud Build service account access onthe VPC Service Controls perimeter. Refer toBuild process overviewfor more information.

Set up a VPC Service Controls perimeter

The following steps show how toset up a VPC Service Controls perimeter.

1. Make sure that you have therequired roles for administering VPC Service Controls.

2. In the Google Cloud console, go to theVPC Service Controls page.

   Go to the VPC Service Controls page

3. If you are prompted, select yourOrganization.

4. ClickManage Access Policies. Select an access policy orcreate one.The access policy must include all projects that you want to add to theperimeter.

5. ClickNew Perimeter. Type a name for the perimeter.

6. Select the projects that you want to secure within the perimeter.

   1. ClickProjects.

   2. In theAdd Projects window, select the projects you want to add.

      If you are usingShared VPC, make sureto add the host project and service projects.

   3. Click theAdd Projects button.

7. Select Cloud Run as the service that you want to securewithin the perimeter.

   1. ClickRestricted Services.

   2. ClickAdd Services.

   3. Search for "Cloud Run." Then selectCloud Run Admin API. (SelectCloud Functions V2 API ifyou usedgcloud functions.)

   4. ClickAdd Cloud Run Admin API (orCloud Functions V2 API if you usedgcloud functions).

8. Enable access for developers.

   Turning on VPC Service Controls for Cloud Run prevents allaccess from outside the perimeter, including viewing and deploying servicesfrom machines not in the perimeter, such as company laptops. In order fordevelopers and application operators to view and deploy resources within theperimeter, you must configure the perimeteringress policy:

   1. ClickIngress Policy.

   2. Specify theSource,Identity,Project, andServices.

   3. ClickAdd Rule.

   If your organization uses Access Context Manager, you can also enable access fordevelopers by setting access levels.

9. ClickCreate Perimeter.

Once you have completed these steps, all calls to the Cloud Run Admin API arechecked to make sure that they originate from within the same perimeter.

Set up organization policies

To manage organization policies, you need theOrganization Policy Administrator(roles/orgpolicy.policyAdmin) role.

To comply with VPC Service Controls and protect against data exfiltration,set up the following organization policies that control the allowableingress andegresssettings for Cloud Run in the service perimeter.

Restrict allowed ingress settings

Therun.allowedIngress organization policy controls theingress settingsthat developers are allowed to use for Cloud Run. Set thisorganization policy to mandate that developers use the valueinternal if you want to allow onlyinternal requests, orinternal-and-cloud-load-balancing ifyou want to allow requests through an external Application Load Balancer, with the accesscontrols managed by Cloud Load Balancing.

For more information on these settings, refer toRestricting ingress for Cloud Run

gcloud resource-manager org-policies allow \  run.allowedIngress internal \  --organizationORGANIZATION_ID

After this organization policy is in place, all services must use allowed valuesfor their ingress settings. This means that Cloud Runservices can only accept traffic originating from a VPC networkwithin the service perimeter. Attempts to set ingress to a different value willbe blocked by theorganization policy.

Restrict allowed VPC egress settings

Therun.allowedVPCEgress organization policycontrols theegress settingsthat developers are allowed to use for Cloud Run. Set this organizationpolicy to allow only the valueall-traffic:

gcloud resource-manager org-policies allow \  run.allowedVPCEgress all-traffic \  --organizationORGANIZATION_ID

Behavior after organization policy is set

After the organization policy is in place, all new revisions must use DirectVPC egress or a Serverless VPC Access connector and must use thevalueall-traffic for their egress settings. This combinationroutes all egress traffic from these revisions through a VPCnetwork, subjecting this traffic to the VPC network's firewallrules and other settings. New revision deployments specifying a different valueare blocked by theorganization policy.

Org policy and traffic migrations

For services existing before the organization policy was set, you can continueto migrate traffic to non-compliant revisions until all revisions servingtraffic have become compliant.

This behavior lets you test and gradually roll out new revisions thatcomply with the policy. After all revisions serving traffic are compliant withthe policy, any attempt to move traffic to non-compliant revisions will beblocked by the org policy.

Set up your project to support VPC Service Controls

For individual projects within the service perimeter, you mustperform additional configuration to use VPC Service Controls.

Configure VPC networks

This section shows how to configure your VPC network so thatrequests sent to the regulargoogleapis.com domains are automaticallyrouted to the restrictedrestricted virtual IP (VIP) range,199.36.153.4/30 (restricted.googleapis.com) where your Cloud Runservice is serving. No code changes are needed.

For each VPC network in a project, follow these steps to blockoutbound traffic except for traffic to the restricted VIP range:

1. EnablePrivate Google Accesson the subnets hosting your VPC network resources.

2. Configure firewall rulesto prevent data from leaving the VPC network:

   Caution: Failure to correctly configure firewall rules could leave yourservices vulnerable to data exfiltration.

   • Create a deny egress rule that blocks all outbound traffic.

     Note: Make sure that the deny all egress firewall rule has a priority after1000.Otherwise, traffic from Direct VPC egress or theServerless VPC Access connector to your service isblocked.

   • Create an allow egress rule that permits traffic to199.36.153.4/30on TCP port 443. Make sure that it has a prioritybefore the deny egressrule you just created—this allows egress only to the restricted VIPrange.

3. Create a Cloud DNSresponse policy.

   gcloud dns response-policies createRESPONSE_POLICY \--networks=NETWORK \--description=DESCRIPTION

   Replace the following:

   • RESPONSE_POLICY: a name for your response policy.
   • NETWORK: the name of the network to associate with this policy. To specify multiple networks, separate the names of each network by commas, for example:network1,network2.
   • DESCRIPTION: a description of the response policy, such asCloud Run VPC Service Controls response policy

4. Add a rule to the response policy to resolve*.googleapis.com torestricted.googleapis.com. The IP address range forrestricted.googleapis.com is199.36.153.4/30.

   gcloud dns response-policies rules createRESPONSE_POLICY_RULE \--response-policy=RESPONSE_POLICY \--dns-name="*.googleapis.com." \--local-data=name="restricted.googleapis.com.",type="A",ttl=300,rrdatas="199.36.153.4|199.36.153.5|199.36.153.6|199.36.153.7"

   Replace the following:

   • RESPONSE_POLICY_RULE: a name for your response policy rule.
   • RESPONSE_POLICY: the name of the response policy that you created in the previous step, in quotes.

5. Add a rule to the response policy to resolve*.run.app (or*.cloudfunctions.netif you created your function usinggcloud functions deploy) to therestricted.googleapis.com. The IP address range forrestricted.googleapis.com is199.36.153.4/30.

   gcloud dns response-policies rules createRESPONSE_POLICY_RULE \--response-policy=RESPONSE_POLICY \--dns-name="*.run.app." \--local-data=name="restricted.googleapis.com.",type="A",ttl=300,rrdatas="199.36.153.4|199.36.153.5|199.36.153.6|199.36.153.7"

   Replace the following:

   • RESPONSE_POLICY_RULE: a name for your response policy rule.
   • RESPONSE_POLICY: the name of the response policy that you specified in the previous step, in quotes.

At this point, requests originating from within the VPC network:

• Are not able to leave the VPC network,preventing egress outside the service perimeter.
• Can only reach Google APIs and services that check VPC Service Controls,preventing exfiltration through Google APIs.

Deploy VPC Service Controls-compliant Cloud Run services and jobs

After VPC Service Controls is configured for Cloud Run,make sure that all Cloud Run services and jobs deployed within the service perimeterenable VPC Service Controls. This requires the following:

• Cloud Run services and jobs must use Direct VPC egress or a Serverless VPC Access connector.SeeConnecting to a VPC networkfor more information.
• Cloud Run services and jobs must route all outgoing traffic through the VPC network.SeeEgress settingsfor more information.
• Cloud Run services must allow traffic from internal sources only. SeeIngress settingsfor more information. Setting ingress to "all" disables VPC Service Controlsenforcement.

Audit existing services for VPC Service Controls compliance

After setting up VPC Service Controls, new services created in projects withinthe service perimeter are automatically checked for compliance. However,to avoid disruption of existing workloads, existing services continue to workand might not comply with organization policies.

Google recommends that you periodically audit your services to make sure your ingress andegress settings conform with the requirements, and update or redeployservices as necessary. For example, you could create a scriptthat uses the Cloud Run Admin API to list your services and highlightthose that do not specify the proper network settings.