Configure connectors in Shared VPC service projects
Stay organized with collectionsSave and categorize content based on your preferences.
If your organization uses Shared VPC, you can set up
Serverless VPC Access connectors in either the service project or the
host project. This guide shows how to set up a connector in the service project.
Grant permissions to service accounts in your service projects
For each service project that will use VPC Connectors, a Shared VPC
Admin must grant the Compute Network User
role (compute.networkUser) in the
host project to the service projectcloudservicesandvpcaccessservice
accounts.
When using Shared VPC, the Shared VPC Admin must create a subnet
for each connector. Follow the documentation inadding a subnetto add a/28subnet to the
Shared VPC network. This subnet must be in the same region as the
serverless services that will use the connector.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis guide details setting up Serverless VPC Access connectors in a service project within a Shared VPC environment.\u003c/p\u003e\n"],["\u003cp\u003eA Shared VPC Admin needs to grant the Compute Network User role to the \u003ccode\u003ecloudservices\u003c/code\u003e and \u003ccode\u003evpcaccess\u003c/code\u003e service accounts in each service project.\u003c/p\u003e\n"],["\u003cp\u003eA subnet must be created by the Shared VPC Admin in the same region as the serverless services that will use the connector, with a recommended size of \u003ccode\u003e/28\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eYou will also have to create the connector, configure the serverless environment to use the connector, and configure any necessary firewall rules, refer to the "Configuring Serverless VPC Access" documentation for these steps.\u003c/p\u003e\n"]]],[],null,["# Configure connectors in Shared VPC service projects\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\nIf your organization uses Shared VPC, you can set up\nServerless VPC Access connectors in either the service project or the\nhost project. This guide shows how to set up a connector in the service project.\n\nIf you need to set up a connector in the host project, see\n[Configure connectors in the host project](/appengine/docs/standard/shared-vpc-host-project).\nTo learn about the advantages of each method, see\n[Connecting to a Shared VPC network](/appengine/docs/standard/connecting-shared-vpc).\n\nAt a high level, you must take the following steps:\n\n1. [Grant permissions](#grant-permissions)\n2. [Create a subnet](#subnet)\n3. In the page [Configuring Serverless VPC Access](/vpc/docs/configure-serverless-vpc-access), complete the steps in the following sections:\n - [Create a Serverless VPC Access connector](/vpc/docs/configure-serverless-vpc-access#create-connector)\n - [Configure your serverless environment to use a connector](/vpc/docs/configure-serverless-vpc-access#configure-environment)\n - [Configure firewall rules for connectors](/vpc/docs/configure-serverless-vpc-access#restrict-access)\n\nGrant permissions to service accounts in your service projects\n--------------------------------------------------------------\n\nFor each service project that will use VPC Connectors, a Shared VPC\nAdmin must grant the Compute Network User\nrole ([`compute.networkUser`](/compute/docs/access/iam#compute.networkUser)) in the\nhost project to the service project `cloudservices` and `vpcaccess` service\naccounts.\n\nTo grant the role:\n\n1. Use these commands:\n\n ```bash\n gcloud projects add-iam-policy-binding HOST_PROJECT_ID \\\n --role \"roles/compute.networkUser\" \\\n --member \"serviceAccount:service-\u003cvar translate=\"no\"\u003eSERVICE_PROJECT_NUMBER\u003c/var\u003e@gcp-sa-vpcaccess.iam.gserviceaccount.com\"\n ``` \n\n ```bash\n gcloud projects add-iam-policy-binding HOST_PROJECT_ID \\\n --role \"roles/compute.networkUser\" \\\n --member \"serviceAccount:\u003cvar translate=\"no\"\u003eSERVICE_PROJECT_NUMBER\u003c/var\u003e@cloudservices.gserviceaccount.com\"\n ```\n2. If the `@gcp-sa-vpcaccess` service account does not exist, turn on the\n Serverless VPC Access API in the service project and try again:\n\n ```bash\n gcloud services enable vpcaccess.googleapis.com\n ```\n\n \u003cbr /\u003e\n\nIf you prefer not to grant these service accounts access to the entire\nShared VPC network and would rather only grant access to specific subnets, you\ncan instead [grant these roles to these service accounts on specific subnets only](/vpc/docs/shared-vpc#svc_proj_admins).\n\nCreate a subnet\n---------------\n\nWhen using Shared VPC, the Shared VPC Admin must create a subnet\nfor each connector. Follow the documentation in\n[adding a subnet](/vpc/docs/create-modify-vpc-networks#add-subnets) to add a `/28` subnet to the\nShared VPC network. This subnet must be in the same region as the\nserverless services that will use the connector.\n\nNext steps\n----------\n\n- In the page [Configuring Serverless VPC Access](/vpc/docs/configure-serverless-vpc-access), complete the steps in the following sections:\n - [Create a Serverless VPC Access connector](/vpc/docs/configure-serverless-vpc-access#create-connector)\n - [Configure your serverless environment to use a connector](/vpc/docs/configure-serverless-vpc-access#configure-environment)"]]
