Solved: Direct VPC egress with a shared VPC network - Page 2

bjornandre · 10-11-2023 06:44 AM

Hello,

I have a Cloud Run service and I have previously set it up to connect to a shared VPC using a Serverless VPC access connector. Now I want to try the new "Direct VPC egress" feature.

I followed the instructions here:

https://cloud.google.com/run/docs/configuring/shared-vpc-direct-vpc#deploy-service. But when I select the option "Networks shared with me (from host project: xxx)" it doesn't show my Shared VPC network.

I have set up project xxx as a host for Shared VPC, and assigned the roles/compute.networkUser role to the service project (as described in https://cloud.google.com/run/docs/configuring/shared-vpc-direct-vpc#set_up_iam_permissions).

The subnet that I am using are located in europe-west1, so it should have support for Direct VPC egress.

bjornandre

Thanks! It turns out that the only problem was that my user account didn't have the roles/compute.networkUser role. So I wasn't able to browse the Shared VPC networks in the Cloud Console even though it was set up correctly for the Cloud Run Service Agent.

I also succeeded in setting up the Cloud Run service using the terraform module google_cloud_run_v2_service. The docs have an example configuration for Direct VPC, but in my case the Shared VPC resides in another Google project, so I had to use the fully qualified name of the network and subnetwork, e.g:

    vpc_access {
      network_interfaces {
        network = "projects/<host-project>/global/networks/<shared-vpc>"
        subnetwork = "projects/<host-project>/regions/<region>/subnetworks/<subnetwork>"
        tags = ["cloud-run"]
      }
      egress = "ALL_TRAFFIC"
    }

View solution in original post