Configure connectors in Shared VPC service projects
If your organization uses Shared VPC, you can set upServerless VPC Access connectors in either the service project or thehost project. This guide shows how to set up a connector in the service project.
If you need to set up a connector in the host project, seeConfigure connectors in the host project.To learn about the advantages of each method, seeConnecting to a Shared VPC network.
At a high level, you must take the following steps:
- Add firewall rules to allow required IP ranges
- Grant permissions
- Create a subnet
- In the pageConfiguring Serverless VPC Access,complete the steps in the following sections:
Before you begin
Serverless VPC Access is not compatible with the URL Fetchservice. Before you begin,disable the URL Fetch defaultand discontinue any explicit use of theurlfetchlibrary.
Add firewall rules to allow IP ranges
To perform these steps, you must have one of the following roles on thehost project:
- Compute EngineSecurity Admin role
- CustomIdentity and Access Management (IAM) role with the
compute.firewalls.createpermission enabled
You must create firewall rules to allow requests from the following IP ranges toreach the connector and to be reached by the connector:
- NAT ranges
107.178.230.64/2635.199.224.0/19
- Health check ranges
130.211.0.0/2235.191.0.0/16108.170.220.0/23
These ranges are used by the Google infrastructure underlying Cloud Run,Cloud Run functions, and the App Engine standard environment. All requests from these IPs are guaranteedto originate from Google infrastructure, which ensures that eachCloud Run, Cloud Run functions, and App Engine service/function/apponly communicates with the VPC Connector it is connected to.
For a simple configuration, apply the rules to allow serverless services in anyservice project connected to the Shared VPC network to send requests toany resource in the network.
Important: The rules you create using the following process apply to existingand future connectors. If you want to scope these rules so they only apply tospecified connectors, seeCreate firewall rules with narrower scope.To apply these rules:
Run the following three commands to set the rules to allow requests from theserverless environment to reach all VPC Connectors in the network:
gcloudcomputefirewall-rulescreateserverless-to-vpc-connector\--allowtcp:667,udp:665-666,icmp\--source-ranges107.178.230.64/26,35.199.224.0/19\--direction=INGRESS\--target-tagsvpc-connector\--network=VPC_NETWORK
gcloudcomputefirewall-rulescreatevpc-connector-to-serverless\--allowtcp:667,udp:665-666,icmp\--destination-ranges107.178.230.64/26,35.199.224.0/19\--direction=EGRESS\--target-tagsvpc-connector\--network=VPC_NETWORK
gcloudcomputefirewall-rulescreatevpc-connector-health-checks\--allowtcp:667\--source-ranges130.211.0.0/22,35.191.0.0/16,108.170.220.0/23\--direction=INGRESS\--target-tagsvpc-connector\--network=VPC_NETWORK
Where
VPC_NETWORKis the VPC network to attach yourconnector to.Create an ingress rule on your VPC network to allow requestsfrom connectors:
gcloudcomputefirewall-rulescreatevpc-connector-requests\--allowtcp,udp,icmp\--direction=INGRESS\--source-tagsvpc-connector\--network=VPC_NETWORK
This rule gives the VPC connector access to every resource in the network. Tolimit the resources that your serverless environment can reach usingServerless VPC Access,specify a target for these firewall rules.
Create firewall rules for specific connectors
Following the procedure inAdd firewall rules to allow IP rangesresults in firewall rules that apply toall connectors, both current onesand ones created in the future. If you don't want this, but instead want tocreate rules for specific connectors only, you can scope the rules so thatthey apply only to those connectors.
To limit the scope of the rules to specific connectors, you can use one of thefollowing mechanisms:
- Network tags. Every connector has two network tags:
vpc-connectorandvpc-connector-REGION-CONNECTOR_NAME.Use the latter format to limit the scope of your firewall rules to a specificconnector. - IP ranges. Use this for the Egress rules only, because it doesn't work forIngress. You can use the IP range of the connectorsubnet to limit the scope of your firewall rules to a single VPC connector.
Grant permissions to service accounts in your service projects
For each service project that will use VPC Connectors, a Shared VPCAdmin must grant the Compute Network Userrole (compute.networkUser) in thehost project to the service projectcloudservices andvpcaccess serviceaccounts.
To grant the role:
Use these commands:
gcloudprojectsadd-iam-policy-bindingHOST_PROJECT_ID\--role"roles/compute.networkUser"\--member"serviceAccount:service-SERVICE_PROJECT_NUMBER@gcp-sa-vpcaccess.iam.gserviceaccount.com"
gcloudprojectsadd-iam-policy-bindingHOST_PROJECT_ID\--role"roles/compute.networkUser"\--member"serviceAccount:SERVICE_PROJECT_NUMBER@cloudservices.gserviceaccount.com"
If the
@gcp-sa-vpcaccessservice account does not exist, turn on theServerless VPC Access API in the service project and try again:gcloudservicesenablevpcaccess.googleapis.com
If you prefer not to grant these service accounts access to the entireShared VPC network and would rather only grant access to specific subnets, youcan insteadgrant these roles to these service accounts on specific subnets only.
Create a subnet
When using Shared VPC, the Shared VPC Admin must create a subnetfor each connector. Follow the documentation inadding a subnet to add a/28 subnet to theShared VPC network. This subnet must be in the same region as theserverless services that will use the connector.
Next steps
- In the pageConfiguring Serverless VPC Access,complete the steps in the following sections:
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.