Direct VPC egress
Google Cloud is introducing Direct VPC egress for Google Cloud Run to the general public (GA). With the help of this functionality, traffic from your Cloud Run resources can reach a VPC network directly, saving time and money by avoiding the need for proxying via Serverless VPC Access connectors.
Actually, with up to 1 GB per second per instance, Direct VPC egress offers around twice the throughput of both VPC connectors and the standard Google Cloud Run internet egress method. Direct VPC egress enables greater throughput and lower latency for performance-sensitive apps, whether you’re delivering traffic to destinations on the VPC, to other Google Cloud services like Cloud Storage, or to other destinations on the public internet.
Cloud Run
What has changed since the teaser
Notable enhancements and additions:
- Direct VPC egress is now supported in all regions where Google Cloud Run is accessible.
- Now, under quota management, every Google Cloud Run service revision with Direct VPC can scale to more than 100 instances. If you require even greater scalability, there is a defined procedure for requesting quota increases.
- Direct VPC egress traffic is now included in VPC Flow Logs and Firewall Rules Logging, and Cloud NAT is supported.
The primary concerns raised by Google Cloud preview users particularly bigger clients with complex networking, scalability, and security needs are addressed in these changes.
Google cloud Run
Encrypting Data Between Cloud Run and VPC
To create communication between Cloud Run Google Cloud Run and VPC resources prior to Direct VPC Egress, developers used SVPC. SVPC was useful, but it had a number of drawbacks.
Management Overhead: For developers, setting up and overseeing connection virtual machines (VMs) inside the VPC for SVPC introduced a new level of complexity.
Scalability Restrictions: Due to the limited number of outgoing connections available on SVPC connectors, applications with large concurrent traffic demands were hampered.
Cost Incurrence: Using connection virtual machines (VMs) led to ongoing expenses, even in times when application activity was minimal.
These restrictions made it difficult for Google Cloud Run apps to seamlessly integrate with private and protected resources inside a VPC.
Direct VPC Egress
A Simplified Approach
Direct VPC Egress, a game-changing method of tying Google Cloud Run services to VPC resources, was introduced in 2023 and is currently generally accessible. It eschews the requirement for overseeing connection virtual machines and yields several significant advantages:
Simplified Configuration
Connector virtual machines are a thing of the past. Developers may concentrate on creating their apps because Direct VPC egress makes it easy to enable access to a particular VPC network with little effort.
Improved Scalability
Direct VPC egress makes use of the strong internal network fabric of Google Cloud. This feature makes Google Cloud Run instances perfect for applications with high traffic volumes since it gives them access to a large pool of outbound connections.
Direct VPC egress uses a pay-per-use paradigm for cost optimisation. There is no set cost involved in running connection virtual machines in SVPC; instead, you simply pay for the resources that your Cloud Run service uses.
Enhanced Security
Routing internet traffic is a part of traditional cloud run egress, which may be vulnerable to breaches. By keeping all communication inside Google Cloud’s secure internal network, direct VPC egress reduces potential security issues.
Granular Control
Revisions of Cloud Run may be associated with network tags. This gives developers the ability to create fine-grained network access control, specifying exactly which VPC resources particular versions are allowed to access.
Direct VPC Egress Operates
Your Cloud Run instances are assigned internal IP addresses within the specified VPC network by Google Cloud when you enable Direct VPC egress on a Cloud Run service. These instances can then immediately connect to resources in the VPC over secure networks. This promotes a more secure and effective communication channel and removes internet egress traffic.
Realising Potential
Applications of Direct VPC Egress
Direct VPC egress provides access to private resources inside a VPC for a variety of applications. The following are some strong use cases:
Database Connectivity
To facilitate data persistence and retrieval within your secure environment, Cloud Run services can establish direct connections with databases housed inside a VPC.
Interaction Between Internal Microservices
Cloud Run services are able to communicate with other microservices that are set up inside the VPC. This makes it possible for microservices to work together effectively without sacrificing security in a well-integrated and safe application architecture.
Data stored in private buckets or databases inside the VPC can be accessed and processed by Cloud Run services using secure data processing pipelines. This reduces the possibility of unauthorised access by guaranteeing that data is safely segregated throughout the processing pipeline.
Machine Learning Workflows
Models and training data are safely stored inside a VPC, and this is accessible to Cloud Run services. As a result, safe and effective machine learning workflows are promoted, with data security maintained during the training and deployment phases.
Launching Direct VPC Egress
A Smooth Transition
YAML files, the Google Cloud Console, and the Google Cloud CLI are some of the ways that direct VPC egress can be configured. Here’s a condensed rundown of the procedure:
Add the VPC network and subnet that your service needs access to in your Cloud Run service setup to enable direct VPC egress.
Ascertain Permissions
Make sure the service account linked to your Cloud Run service has the authorizations required to utilise the selected VPC resources.
Deploy Your Service
With the Direct VPC egress configuration enabled, deploy your Cloud Run service. To ensure smooth operation, test connectivity to make sure your Cloud Run service can properly communicate with the required VPC resources.
Security Aspects
It’s important to follow security best practices even though Direct VPC egress provides a secure method of connecting Cloud Run services to VPC resources: