GCP: Can Functions that use Serverless VPC Access also enjoy Private Google Access

2
votes

I want a Cloud Function on GCP to connect to a Google API (eg, compute.googleapis.com) privately. That is, not over the internet. I also want this Cloud Function to egress all traffic into a VPC through a Serverless VPC Accessor.

For VMs to connect privately to Google APIs, one enables Private Google Access for the subnet that the VM lives on. But, for Functions, the "serverless connector" is not a subnet per se, and so one can't enable Private Google Access for this connector. With Private Google Access, the call to a Google API originating from a Function eventually heads out the default internet gateway to the public internet.

How can I get my Function to make calls to Google APIs privately after egressing onto my VPC?

1
google-cloud-platformgoogle-cloud-functionsgoogle-cloud-networking

1 Answers

3
votes

When you are in the Google network, you never go to the internet for reaching a Google service. In the worst case, because it's not in the same region, you go into the Google global fiber network.

If you are in the same region, you stay inside it.

Thus, your call are private by default. You don't have Google Cloud Functions to enforce this, it's by default.

But, if you prefer to be sure, you can use the private DNS of Google by adding private like this: compute.private.googleapis.com