Solved: Direct VPC egress with a shared VPC network

bjornandre · 10-11-2023 06:44 AM

Hello,

I have a Cloud Run service and I have previously set it up to connect to a shared VPC using a Serverless VPC access connector. Now I want to try the new "Direct VPC egress" feature.

I followed the instructions here:

https://cloud.google.com/run/docs/configuring/shared-vpc-direct-vpc#deploy-service. But when I select the option "Networks shared with me (from host project: xxx)" it doesn't show my Shared VPC network.

I have set up project xxx as a host for Shared VPC, and assigned the roles/compute.networkUser role to the service project (as described in https://cloud.google.com/run/docs/configuring/shared-vpc-direct-vpc#set_up_iam_permissions).

The subnet that I am using are located in europe-west1, so it should have support for Direct VPC egress.

bjornandre

Thanks! It turns out that the only problem was that my user account didn't have the roles/compute.networkUser role. So I wasn't able to browse the Shared VPC networks in the Cloud Console even though it was set up correctly for the Cloud Run Service Agent.

I also succeeded in setting up the Cloud Run service using the terraform module google_cloud_run_v2_service. The docs have an example configuration for Direct VPC, but in my case the Shared VPC resides in another Google project, so I had to use the fully qualified name of the network and subnetwork, e.g:

    vpc_access {
      network_interfaces {
        network = "projects/<host-project>/global/networks/<shared-vpc>"
        subnetwork = "projects/<host-project>/regions/<region>/subnetworks/<subnetwork>"
        tags = ["cloud-run"]
      }
      egress = "ALL_TRAFFIC"
    }

View solution in original post

VannGuce

Hi,

I bumped into this lately, I mean the documentation[1] and following the instructions works fine. For this concern I believe to double check every configuration if it is configured correctly in the right project especially the regions and the IAM permission.

Make sure that cloud run is also on the same region of your shared vpc that is supported by the feature. On both host and service projects make sure that IAM permissions are correctly configured. Having a single misconfiguration might be what we are having right now.

[1]https://cloud.google.com/run/docs/configuring/shared-vpc-direct-vpc#deploy-service

bjornandre

Thanks! It turns out that the only problem was that my user account didn't have the roles/compute.networkUser role. So I wasn't able to browse the Shared VPC networks in the Cloud Console even though it was set up correctly for the Cloud Run Service Agent.

I also succeeded in setting up the Cloud Run service using the terraform module google_cloud_run_v2_service. The docs have an example configuration for Direct VPC, but in my case the Shared VPC resides in another Google project, so I had to use the fully qualified name of the network and subnetwork, e.g:

    vpc_access {
      network_interfaces {
        network = "projects/<host-project>/global/networks/<shared-vpc>"
        subnetwork = "projects/<host-project>/regions/<region>/subnetworks/<subnetwork>"
        tags = ["cloud-run"]
      }
      egress = "ALL_TRAFFIC"
    }