Check for Unrestricted Outbound Network Access

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Run console available at https://console.cloud.google.com/run/.

04 Select the SERVICES tab to view the Cloud Run services deployed for the selected GCP project.

05 Click on the name (link) of the service that you want to examine, listed in the Name column.

06 Select the NETWORKING tab and check the networking details listed in the VPC section. If the Network attribute value is set to None, there is no VPC network or VPC connector configured for your service, therefore, all outgoing traffic go through the public Internet, allowing unrestricted access. If the Network attribute is configured, check the Traffic routing attribute value. If Traffic routing is set to route all traffic to the VPC, the selected Cloud Run service is configured to allow unrestricted outbound network access.

07 Repeat steps no. 5 and 6 for each Cloud Run service created for the selected GCP project.

08 Repeat steps no. 2 - 7 for each project deployed within your Google Cloud account.

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account:

gcloud projects list
	--format="value(projectId)"

02 The command output should return the requested GCP project ID(s):

cc-bigdata-project-123123
cc-iot-app-project-112233

03 Run services list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the name and the region of each Cloud Run service deployed within the selected project:

gcloud run services list
	--project cc-bigdata-project-123123
	--format="(NAME,REGION)"

04 The command output should return the requested service names and the associated regions:

NAME: cc-project5-service
REGION: us-central1

NAME: tm-stream-service
REGION: us-central1

NAME: tm-vertex-service
REGION: us-central1

05 Run services describe command (Windows/macOS/Linux) with the name of the Cloud Run service that you want to examine as the identifier parameter, to describe the egress (outbound) network settings configured for the selected service:

gcloud run services describe cc-project5-service
	--region=us-central1
	--format="json(spec.template.metadata.annotations.'run.googleapis.com/vpc-access-egress')"

06 The command output should return the requested egress network settings:

{
	"spec": {
		"template": {
			"metadata": {
				"annotations": {
					"run.googleapis.com/vpc-access-egress": "all-traffic"
				}
			}
		}
	}
}

07 Repeat steps no. 5 and 6 for each Cloud Run service created for the selected GCP project.

08 Repeat steps no. 3 – 6 for each GCP project deployed in your Google Cloud account.

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud Run console available at https://console.cloud.google.com/run/.

04 Select the SERVICES tab to access the Cloud Run services deployed for the selected GCP project.

05 Click on the name (link) of the service that you want to configure, listed in the Name column.

06 Choose EDIT & DEPLOY NEW REVISION, select the NETWORKING tab, and perform the following actions:

1. Ensure that the Connect to a VPC for outbound traffic setting is enabled and configured to use a VPC network or a serverless VPC access connector. Follow the steps outlined on this page to enable and configure VPC access.
2. Set Traffic routing to Route only requests to private IPs to the VPC. This will restrict the service's outbound traffic to internal IP ranges only.
3. Choose DEPLOY to apply the changes and deploy a new revision for the selected service.

07 Repeat steps no. 5 and 6 for each Cloud Run service that you want to configure, available within the selected project.

08 Repeat steps no. 2 – 7 for each project deployed in your Google Cloud account.

01 Ensure that a VPC network or a serverless VPC access connector is configured for your service. Follow the steps outlined on this page to enable and configure VPC access.

02 Run services update command (Windows/macOS/Linux) to update your VPC-enabled Cloud Run service in order to prevent unrestricted outbound network access. To restrict the service outbound traffic to internal IP ranges only, set the --egress-settings parameter to private-ranges-only, as shown in the example below:

gcloud run services update cc-project5-service
	--region=us-central1
	--vpc-egress=private-ranges-only

03 The command output should return the build information available for the redeployed service:

OK Deploying... Done.
	OK Creating Revision...
	OK Routing traffic...
Done.

Service [cc-project5-service] revision [cc-project5-service-00003-abc] has been deployed and is serving 100 percent of traffic.
Service URL: https://cc-project5-service-123456789012.us-central1.run.app

04 Repeat steps no. 1 - 3 for each Cloud Run service that you want to configure, available in the selected project.

05 Repeat steps no. 1 – 4 for each GCP project deployed in your Google Cloud account.