We have a number of Cloud Run services which connect to a Redis instance running in Memory Store. Since Redis setup in this way counts as part of a projects VPC we also have a VPC Serverless Connector which is used to connect the Cloud Run services to our VPC.

Since all of our services are in europe-west4 we have been trying to tighten add some additional firewall rules to only allow GCP services from the Netherlands (amongst our other constraints).

When creating a Company Firewall Policy and adding a new rule, we have noticed that when we select Google Cloud Threat Intelligence to be 'Public Clouds - GCP' and set Geolocations to be 'Netherlands' none of our Cloud Run Services can connect through the VPC Connector to Redis. If we extend that same allow rule to include 'The United States' then the Redis instance is reachable via the VPC Connector.

We have responsibility to our clients not let the data leave the EU, and given all of our Cloud Run services, VPC, Redis instance and VPC Connector are in europe-west4 we need to understand what is causing this issue and how to avoid this hidden dependency on USA based services/ips. Specifically we would like to know what US based services are being used in this setup and if any data being sent to our European hosted redis server from our European based cloud service via our European VPC connector is somehow going via the USA.

How can we avoid any connections to the United States in this setup?