cloud run Egress Traffic to Shared VPC using Direct VPC and Access Connector

In your Shared VPC setup, this service agent needs special permissions to access the network resources in your host project. That's why you need to grant it the "Compute Network User" role and 'Serverless VPC access user'on the host project (or specific subnets). The Cloud Run service agent is a service account that Google Cloud automatically creates and manages for each project that uses Cloud Run. This service account is what Google Cloud uses behind the scenes to perform operations on your behalf when running your Cloud Run services. The Cloud Run service agent: 1 Has the format: service-[PROJECT_NUMBER]@serverless-robot-prod.iam.gserviceaccount.com 2 Is automatically granted the "Cloud Run Service Agent" role (roles/run.serviceAgent) on your project 3 Is used by Google Cloud to: ◦ Deploy and manage your Cloud Run services ◦ Access necessary resources (like networks, subnets, etc.) ◦ Connect to other Google Cloud services that your Cloud Run services need To make Direct VPC egress You can enable your Cloud Run service or job to send traffic to a Shared VPC network by using Direct VPC egress with no Serverless VPC Access connector required. To Make Serverless VPC Access connectors Configure connectors in the Shared VPC host project:If your organization uses Shared VPC, you can set up a Serverless VPC Access connector in either the service project or the host project. This guide shows how to set up a connector in the host project. Official Doc: Direct VPC Egress : https://cloud.google.com/run/docs/configuring/shared-vpc-direct-vpc VPC Access Connector Agress: https://cloud.google.com/run/docs/configuring/shared-vpc-host-project #google #gcp #vpc #sharedvpc #sumitk #thecloudbaba #security #network #vpcreation