Connect 2 Cloud Run Services Internally with Serverless VPC Connector

3 min readMay 10, 2023

Purpose

This article aims to provide solution when we have 2 cloud run services and want to route connect them together internally.

The above diagram shows the system flow starting from user send the request to Cloud Run #1. The first cloud run service can be the web frontend which allows public user to access. Therefore, it is set to allow external traffic without unauthentication.
Next, the backend of Cloud Run #1 will forward the request to cloud run #2 through server VPC connector.
Cloud run #2 which is located in VPC can received the traffic from Cloud run #1 via configured serverless VPC connector.

Create a new VPC network with the custom subnet. The below image is an example of VPC subnet.

Click create button to finish setting up the VPC network.
Go to serverless VPC access tab and click create connector
Here, enter the name of VPC connector and specify a region. The region of serverless vpc connector must be similar to where the cloud run services locate. Next, select network VPC which already created in the step 1–2.

For testing purpose, it is okay to leave the scaling setting as it is.
Click create to finish.
Next, move to cloud run service.
Because the 1st cloud run service is the web frontend which opens access for public users, the configuration should be set to allow-authentication and select ingress control to all.
To deploy the 1st cloud run service using CLI, please follow the below command.bash

gcloud run deploy <first-service-name> --platform managed --allow-unauthenticated

To set up the egress of the 1st cloud run service, we will do it using GCP console.
After the deployment is finished, let’s go to cloud run console and select the 1st cloud run service.
Click edit button and move to networking tab.
In VPC option, select the serverless VPC connector that was configured in the step 3–6.
Please do not forget to select “Route all traffic through the VPC connector” option and click deploy.

While waiting for 1st cloud run service deployment, let’s deploy the 2nd cloud run service.
Use the following command to deploy the service using CLI.

gcloud run deploy <second-service-name> --ingress internal --platform managed --no-allow-unauthenticated

After 2nd cloud run deployment, the traffic can only be routed through the 1st cloud run service. It cannot be called directly to the 2nd cloud run from outside.