Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Serverless VPC Access for Google Cloud Functions

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your Google Cloud functions are configured to use Serverless VPC Access in order to connect functions directly to your VPC network, allowing access to other VPC resources such as VM instances, MemoryStore instances, or any other cloud resources with an internal IP address.

Security
Reliability
Operational
excellence
Cost
optimisation
Sustainability

Serverless VPC Access makes it possible for you to connect directly to your Virtual Private Cloud (VPC) network from a serverless environment such as Google Cloud Functions. Key benefits include enhanced security (no exposure to the Internet) and lower latency compared to typical Internet communication. It operates via connectors, managing traffic between your serverless setup and VPC. To enable Serverless VPC Access for your Google Cloud functions, create a VPC connector in your Google Cloud project, associating it with a VPC network and region. This enables configuration of serverless services to utilize the connector for outbound network traffic, ensuring secure, low-latency connectivity.

Audit

To determine if Serverless VPC Access is enabled for your Google Cloud functions, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Google Cloud Functions console available at https://console.cloud.google.com/functions/.

04 Click on the name (link) of the Google Cloud function that you want to examine, listed in the Name column.

05 Select the DETAILS tab and check the networking details listed in the Networking Settings section. If the VPC connector attribute does not have a value, there is no VPC connector configured for your function, therefore the Serverless VPC Access feature is not enabled for the selected Google Cloud function.

06 Repeat steps no. 4 and 5 for each Google Cloud function created for the selected GCP project.

07 Repeat steps no. 2 - 6 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each project available in your Google Cloud Platform (GCP) account: 

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project ID(s): 

PROJECT_ID
cc-bigdata-project-123123
cc-iot-app-project-112233

03 Run functions list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the name and the region of each Google Cloud function deployed within the selected project: 

gcloud functions list
  --project cc-bigdata-project-123123
  --format="(NAME,REGION)"

04 The command output should return the requested function names and their regions: 

NAME                  REGION
cc-web-app-function   us-central1
cc-stream-function    us-central1

05 Run functions describe command (Windows/macOS/Linux) using the name of the Google Cloud function that you want to examine as the identifier parameter, to describe the identifier (ID) of the VPC connector configured for the selected function. A VPC connector is a configuration that enables Google Cloud functions to securely connect to resources within a VPC network for enhanced security and isolation: 

gcloud functions describe cc-web-app-function
  --region=us-central1
  --format="json(vpcConnector)"

06 The command output should return the VPC connector ID: 

null

If the functions describe command output returns null, there is no VPC connector configured for your function, therefore Serverless VPC Access is not enabled for the selected Google Cloud function.

07 Repeat steps no. 5 and 6 for each Google Cloud function created for the selected GCP project.

08 Repeat steps no. 3 – 6 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable Serverless VPC Access for your Google Cloud functions, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Google Cloud Functions console available at https://console.cloud.google.com/functions/.

04 Click on the name (link) of the Google Cloud function that you want to configure, listed in the Name column.

05 Choose EDIT from the top menu to modify the function configuration.

06 For Configuration, choose Runtime, build, connections and security settings, and select the CONNECTIONS tab to access the networking settings available for your function.

07 By default, the function is disconnected from your VPC network and cannot send request to VPC resources. To send requests to cloud resources within your VPC network, create and configure a new VPC connector in the same region as the function.

08 In the Egress settings section, click inside the Network box and choose ADD NEW VPC CONNECTOR to create a new VPC connector.

09 On the Create connector setup panel, perform the following actions:

  1. Type a unique name for the new VPC connector in the Name box.
  2. Select the appropriate region from the Region dropdown list. The connector must share the same region with the function.
  3. Select your VPC network from the Network list.
  4. Choose an unused /28 subnet from the Subnet dropdown list or create a new one by entering an unused /28 IP range. Your new VPC connector will create connector instances on the selected subnet.
  5. Choose SHOW SCALING SETTINGS and configure the scaling settings for the VPC connections based on your application needs.
  6. Choose CREATE to create your new VPC connector.

10 Click inside the Network box and choose the name of your newly created VPC connector.

11 Under Network, choose whether to route only requests to private IPs through the new VPC connector or route all traffic through the VPC connector.

12 Select NEXT and choose DEPLOY to redeploy your modified function.

13 Repeat steps no. 4 – 12 for each Google Cloud function that you want to configure, available for the selected GCP project.

14 Repeat steps no. 2 – 13 for each project deployed within your Google Cloud account.

Using GCP CLI

01 To send requests to Google Cloud resources within your VPC network, create a new VPC connector in the same region as your function. To create a new VPC connector for your Google Cloud functions, run compute networks vpc-access connectors create command (Windows/macOS/Linux). The following VPC connector is using a non-shared VPC network named "cc-main-vpc-network": 

gcloud compute networks vpc-access connectors create cc-vpc-connector
  --region=us-central1
  --network=cc-main-vpc-network
  --range=10.128.0.0/28

02 The command output should return the configuration information available for the new VPC connector: 

{
	"ipCidrRange": "10.128.0.0/28",
	"machineType": "e2-micro",
	"maxInstances": 10,
	"maxThroughput": 1000,
	"minInstances": 2,
	"minThroughput": 200,
	"name": "projects/cc-bigdata-project-123123/locations/us-central1/connectors/cc-vpc-connector",
	"network": "cc-main-vpc-network",
	"state": "READY"
  }

03 Run functions deploy command (Windows/macOS/Linux) to redeploy your Google Cloud function in order to connect the function to a VPC network by attaching the Serverless VPC Access connector created at the previous steps: 

gcloud functions deploy cc-web-app-function1
  --region=us-central1
  --max-instances=1
  --runtime=python39
  --entry-point=run-app
  --trigger-http
  --allow-unauthenticated
  --gen2
  --vpc-connector cc-vpc-connector
  --format="json(vpcConnector)"

04 The command output should return the identifier (ID) of the attached VPC connector: 

{
	"vpcConnector": "projects/cc-bigdata-project-123123/locations/us-central1/connectors/cc-vpc-connector"
}

05 Repeat steps no. 1 – 4 for each Google Cloud function that you want to configure, created for the selected GCP project.

06 Repeat steps no. 1 – 5 for each project deployed within your Google Cloud account.

References

Publication date Oct 24, 2023

Related CloudFunction rules