Configure connectors in Shared VPC service projects
If your organization uses Shared VPC, you can set upServerless VPC Access connectors in either the service project or thehost project. This guide shows how to set up a connector in the service project.
If you need to set up a connector in the host project, seeConfigure connectors in the host project.To learn about the advantages of each method, seeConnecting to a Shared VPC network.
At a high level, you must take the following steps:
- Grant permissions
- Create a subnet
- In the pageConfiguring Serverless VPC Access,complete the steps in the following sections:
Grant permissions to service accounts in your service projects
For each service project that will use VPC Connectors, a Shared VPCAdmin must grant the Compute Network Userrole (compute.networkUser) in thehost project to the service projectcloudservices andvpcaccess serviceaccounts.
To grant the role:
Use these commands:
gcloudprojectsadd-iam-policy-bindingHOST_PROJECT_ID\--role"roles/compute.networkUser"\--member"serviceAccount:service-SERVICE_PROJECT_NUMBER@gcp-sa-vpcaccess.iam.gserviceaccount.com"
gcloudprojectsadd-iam-policy-bindingHOST_PROJECT_ID\--role"roles/compute.networkUser"\--member"serviceAccount:SERVICE_PROJECT_NUMBER@cloudservices.gserviceaccount.com"
If the
@gcp-sa-vpcaccessservice account does not exist, turn on theServerless VPC Access API in the service project and try again:gcloudservicesenablevpcaccess.googleapis.com
If you prefer not to grant these service accounts access to the entireShared VPC network and would rather only grant access to specific subnets, youcan insteadgrant these roles to these service accounts on specific subnets only.
Create a subnet
When using Shared VPC, the Shared VPC Admin must create a subnetfor each connector. Follow the documentation inadding a subnet to add a/28 subnet to theShared VPC network. This subnet must be in the same region as theserverless services that will use the connector.
Next steps
- In the pageConfiguring Serverless VPC Access,complete the steps in the following sections:
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.