Cloud Functions can’t directly access resources within your private VPC network without a little help.
Let’s see this in action. Imagine you have a Cloud Function that needs to fetch data from a Cloud SQL instance residing within your private VPC. Without proper configuration, this function will fail to connect because it doesn’t have a network path into your VPC.
Here’s how we make it work:
1. The Problem: Network Isolation
By default, Cloud Functions run in Google’s managed environment, separate from your private VPC network. This isolation is great for security, but it means your function can’t see or talk to your internal resources like private IP addresses of databases or internal load balancers.
2. The Solution: VPC Network Connector
To bridge this gap, you need a VPC Network Connector. This is a resource that acts as a gateway, allowing your Cloud Functions to send and receive traffic to and from your VPC network. It essentially creates a private network path for your function.
3. Setting Up the Connector
You create a VPC Network Connector in the same region as your Cloud Function. This connector is associated with a specific VPC network and subnet.
gcloud compute networks vpc-access connectors create my-connector \
--region=us-central1 \
--network=my-vpc-network \
--subnet=projects/my-gcp-project/regions/us-central1/subnetworks/my-function-subnet \
--min-instances=2 \
--max-instances=10
my-connector: A unique name for your connector.--region=us-central1: Must match your Cloud Function’s region.--network=my-vpc-network: The name of your VPC network.--subnet=...: A dedicated subnet for the connector. This subnet should have at least/28CIDR range and must not overlap with any other subnets in your VPC. Google recommends a/27or larger.--min-instances=2,--max-instances=10: These control the scaling of the connector. Start withmin-instances=2for high availability and scale up tomax-instances=10based on your function’s traffic.
4. Deploying the Function with the Connector
When you deploy your Cloud Function, you specify the VPC Network Connector it should use.
gcloud functions deploy my-private-function \
--region=us-central1 \
--runtime=nodejs18 \
--source=. \
--entry-point=handler \
--vpc-connector=projects/my-gcp-project/locations/us-central1/connectors/my-connector \
--vpc-tier=PRIVATE_VPC_ACCESS \
--trigger-http
--vpc-connector=...: This is the full resource name of the connector you created.--vpc-tier=PRIVATE_VPC_ACCESS: This crucial flag tells the function to route its egress traffic through the VPC connector. Without it, the function will still try to access the internet or public endpoints.
5. How it Works Internally
When your function needs to access a private IP address (e.g., 10.10.0.5 for your Cloud SQL instance), the traffic is intercepted. Instead of going to the public internet, it’s routed to the VPC Network Connector. The connector, residing within your VPC network, then forwards the traffic to the destination. The response follows the same private path back. This ensures that your sensitive data never traverses the public internet.
6. The "Private IP Only" Mode
A more advanced configuration is using the PRIVATE_RANGES_ONLY VPC tier. This restricts your function’s egress traffic exclusively to your VPC network. If your function attempts to reach any public IP address (like google.apis.com), it will fail. This is excellent for maximum security and ensuring your function only communicates with internal resources.
gcloud functions deploy my-secure-function \
--region=us-central1 \
--runtime=python311 \
--source=. \
--entry-point=main \
--vpc-connector=projects/my-gcp-project/locations/us-central1/connectors/my-connector \
--vpc-tier=PRIVATE_RANGES_ONLY \
--trigger-http
This effectively turns your function into a "private-only" service, which can be a powerful security control.
7. The Takeaway: Egress Control is Key
The VPC Network Connector is your tool for giving Cloud Functions private network access. The --vpc-tier flag determines how that access is granted – whether it’s for private resources only or for both private and public resources, with private traffic being routed through the connector.
The next hurdle you’ll likely encounter is managing DNS resolution for your private resources from within the Cloud Function.