Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from http://cloud.google.com/appengine/docs/legacy/standard/python/shared-vpc-service-projects below:

Configure connectors in Shared VPC service projects | App Engine standard environment for Python 2

Stay organized with collections Save and categorize content based on your preferences.

If your organization uses Shared VPC, you can set up Serverless VPC Access connectors in either the service project or the host project. This guide shows how to set up a connector in the service project.

If you need to set up a connector in the host project, see Configure connectors in the host project. To learn about the advantages of each method, see Connecting to a Shared VPC network.

At a high level, you must take the following steps:

1. Add firewall rules to allow required IP ranges
2. Grant permissions
3. Create a subnet
4. In the page Configuring Serverless VPC Access, complete the steps in the following sections:
   • Create a Serverless VPC Access connector
   • Configure your serverless environment to use a connector

Serverless VPC Access is not compatible with the URL Fetch service. Before you begin, disable the URL Fetch default and discontinue any explicit use of the urlfetch library.

To perform these steps, you must have one of the following roles on the host project:

• Compute Engine Security Admin role
• Custom Identity and Access Management (IAM) role with the compute.firewalls.create permission enabled

You must create firewall rules to allow requests from the following IP ranges to reach the connector and to be reached by the connector:

• NAT ranges
  • 107.178.230.64/26
  • 35.199.224.0/19
• Health check ranges
  • 130.211.0.0/22
  • 35.191.0.0/16
  • 108.170.220.0/23

These ranges are used by the Google infrastructure underlying Cloud Run, Cloud Run functions, and the App Engine standard environment. All requests from these IPs are guaranteed to originate from Google infrastructure, which ensures that each Cloud Run, Cloud Run functions, and App Engine service/function/app only communicates with the VPC Connector it is connected to.

For a simple configuration, apply the rules to allow serverless services in any service project connected to the Shared VPC network to send requests to any resource in the network.

To apply these rules:

1. Run the following three commands to set the rules to allow requests from the serverless environment to reach all VPC Connectors in the network:

   gcloud compute firewall-rules create serverless-to-vpc-connector \
   --allow tcp:667,udp:665-666,icmp \
   --source-ranges 107.178.230.64/26,35.199.224.0/19 \
   --direction=INGRESS \
   --target-tags vpc-connector \
   --network=VPC_NETWORK

   gcloud compute firewall-rules create vpc-connector-to-serverless \
   --allow tcp:667,udp:665-666,icmp \
   --destination-ranges 107.178.230.64/26,35.199.224.0/19 \
   --direction=EGRESS \
   --target-tags vpc-connector \
   --network=VPC_NETWORK

   gcloud compute firewall-rules create vpc-connector-health-checks \
   --allow tcp:667 \
   --source-ranges 130.211.0.0/22,35.191.0.0/16,108.170.220.0/23 \
   --direction=INGRESS \
   --target-tags vpc-connector \
   --network=VPC_NETWORK

   Where VPC_NETWORK is the VPC network to attach your connector to.

2. Create an ingress rule on your VPC network to allow requests from connectors:

   gcloud compute firewall-rules create vpc-connector-requests \
   --allow tcp,udp,icmp \
   --direction=INGRESS \
   --source-tags vpc-connector \
   --network=VPC_NETWORK

   This rule gives the VPC connector access to every resource in the network. To limit the resources that your serverless environment can reach using Serverless VPC Access, specify a target for these firewall rules.

Following the procedure in Add firewall rules to allow IP ranges results in firewall rules that apply to all connectors, both current ones and ones created in the future. If you don't want this, but instead want to create rules for specific connectors only, you can scope the rules so that they apply only to those connectors.

To limit the scope of the rules to specific connectors, you can use one of the following mechanisms:

• Network tags. Every connector has two network tags: vpc-connector and vpc-connector-REGION-CONNECTOR_NAME. Use the latter format to limit the scope of your firewall rules to a specific connector.
• IP ranges. Use this for the Egress rules only, because it doesn't work for Ingress. You can use the IP range of the connector subnet to limit the scope of your firewall rules to a single VPC connector.

For each service project that will use VPC Connectors, a Shared VPC Admin must grant the Compute Network User role (compute.networkUser) in the host project to the service project cloudservices and vpcaccess service accounts.

To grant the role:

1. Use these commands:

   gcloud projects add-iam-policy-binding HOST_PROJECT_ID \
   --role "roles/compute.networkUser" \
   --member "serviceAccount:service-SERVICE_PROJECT_NUMBER@gcp-sa-vpcaccess.iam.gserviceaccount.com"

   gcloud projects add-iam-policy-binding HOST_PROJECT_ID \
   --role "roles/compute.networkUser" \
   --member "serviceAccount:SERVICE_PROJECT_NUMBER@cloudservices.gserviceaccount.com"

2. If the @gcp-sa-vpcaccess service account does not exist, turn on the Serverless VPC Access API in the service project and try again:

   gcloud services enable vpcaccess.googleapis.com

If you prefer not to grant these service accounts access to the entire Shared VPC network and would rather only grant access to specific subnets, you can instead grant these roles to these service accounts on specific subnets only.

When using Shared VPC, the Shared VPC Admin must create a subnet for each connector. Follow the documentation in adding a subnet to add a /28 subnet to the Shared VPC network. This subnet must be in the same region as the serverless services that will use the connector.

• In the page Configuring Serverless VPC Access, complete the steps in the following sections:
  • Create a Serverless VPC Access connector
  • Configure your serverless environment to use a connector

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-08-07 UTC.

[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["This guide outlines how to set up Serverless VPC Access connectors in a service project when using Shared VPC, offering an alternative to setting up connectors in the host project."],["Before setting up, users must disable the URL Fetch default and any explicit use of the `urlfetch` library, as Serverless VPC Access is incompatible with the URL Fetch service."],["Setting up firewall rules is required to allow requests from specific IP ranges to reach and be reached by the connector, with options to apply these rules to all connectors or specific ones using network tags or IP ranges."],["Shared VPC Admins must grant the Compute Network User role to the service project's `cloudservices` and `vpcaccess` service accounts, and if preferred, these roles can be granted on specific subnets only."],["A subnet, specifically a `/28` subnet, must be created by the Shared VPC Admin for each connector, ensuring it is located in the same region as the serverless services."]]],[]]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4