We’re launching Direct VPC egress for Cloud Run in Preview today. This feature enables you to send traffic to a VPC network, without setting up a Serverless VPC Access connector. Direct VPC egress is easier to set up, is faster, can handle more traffic and has lower costs.
This is a very exciting update to Cloud Run. Before we dive into the specific, let’s hear how Paack has already benefited from Direct VPC egress:
“At Paack, we use Cloud Run for several mission-critical applications, many of which rely on VPC access, such as to connect to Cloud SQL databases and to connect to warehouse robots. Traditionally, we have relied on VPC connectors. Direct VPC egress offers considerable improvements in operational efficiency, allowing our teams to work more independently, while giving our DevSecOps and NetOps teams the tools to boost security and better manage network communications.” – Miguel F. Nuñez Burguera, Cloud Architect, Paack
When do you need to send traffic to the VPC?
Top use cases for sending traffic to the VPC include connecting to internal IP addresses, and controlling traffic with firewall rules and other network policies.
Here are some examples of resources with an internal IP address that customers often connect to from Cloud Run:
Memorystore instances. (That’s a managed Redis or Memcached instance.)
Cloud SQL instances that don’t have a public IP (for increased security).
On-premises resources.
Compute Engine virtual machines.
Services with an internal load balancer on Google Kubernetes Engine (TCP/UDP or HTTP).
Direct VPC egress explained
When you enable Direct VPC egress on a Cloud Run service, the Cloud Run instances get internal IP addresses on the VPC network. This new interface can only be used for TCP/UDP egress. You can think of this as a firewall around the Cloud Run instance. The firewall allows outbound connections, but won’t let you create connections from the VPC to the Cloud Run instance.
It’s important to note that web requests and events to the HTTPS endpoint of the Cloud Run service are still routed to Cloud Run instances in the same way as before – that doesn’t change when you enable Direct VPC egress.
Comparison with Serverless VPC Access connectors
To understand how VPC connectors are different from Direct VPC egress, you should realize that a VPC connector is a group of managed connector instances. Every connector instance gets an internal IP address and it proxies outbound connections from Cloud Run, introducing an extra hop in the network path.
VPC connectors are not pay-per-use. You can think of connector instances as virtual machines. They are very much alike, in the sense that you are charged for enabling them even if they’re idle. Direct VPC egress does not need connector instances, which means you’ll only pay the network charges. This is why Direct VPC egress has lower costs, which is one of the key advantages Carrefour experienced when they evaluated Direct VPC egress:
“At Carrefour, we use Cloud Run to ingest, transform and load data in the group financial data warehouse on BigQuery. Cloud Run provides the simplicity and ease of use to help our engineers move fast, and it comes with a pay-as-you-go model, so we never have to worry about under or over provisioning. We’ve been trying out Direct VPC egress to reach our SAP database hosted on our private network, and it’s exactly what we’ve been looking for, simplifying our architecture, aligning with our pay-as-you-go model, and improving the total cost of ownership of our pipelines!” – Guillaume Blaquiere, Group Data Architect at Carrefour
Direct VPC egress doesn’t need connector instances because it uses a new, direct, network path. This new path is faster and can handle more traffic than VPC connectors, delivering lower latency and higher throughput.
Summary
When compared with VPC connectors, Direct VPC is easier to set up and manage, and brings the following benefits:
Fewer hops in the network path, enabling lower latency.
Higher throughput, because it uses a new, direct, network path.
Pay-per-use – network charges only without requiring always-on connector instances.
When trying out Direct VPC egress, keep in mind that the feature is still in the Preview launch stage (as of August 2023). For production workloads, a Serverless VPC Access connector is still the recommended option.
To start, enable Direct VPC egress on a Cloud Run service. Read the documentation on Direct VPC egressto learn how.
Cloud BlogRead More