When a container instance receives requests, Cloud Run downgrades those requests from HTTP/2 to HTTP/1 with the exception of native gRPC traffic, which requires HTTP/2 to function correctly. This page shows you how to configure your service to use end-to-end HTTP/2, which prevents Cloud Run from downgrading requests to HTTP1.
For more information about invoking services using HTTP, see Invoking with an HTTPS Request .
Before you configure
Your Cloud Run service must handle requests in HTTP/2 cleartext
( h2c
) format. Google's frontend-serving
infrastructure terminates TLS and then forwards the h2c
traffic to Cloud Run
and to your container through an encrypted channel.
To confirm that your service supports h2c
requests, test the service locally
using this curl command:
curl -i --http2-prior-knowledge http://localhost: PORT
Required roles
To get the permissions that you need to configure and deploy Cloud Run services, ask your administrator to grant you the following IAM roles:
- Cloud Run Developer
(
roles/run.developer) on the Cloud Run service - Service Account User
(
roles/iam.serviceAccountUser) on the service identity
If you are deploying a service or function from source code, you must also have additional roles granted to you on your project and Cloud Build service account.
For a list of IAM roles and permissions that are associated with Cloud Run, see Cloud Run IAM roles and Cloud Run IAM permissions . If your Cloud Run service interfaces with Google Cloud APIs, such as Cloud Client Libraries, see the service identity configuration guide . For more information about granting roles, see deployment permissions and manage access .
Supported HTTP/2 services
HTTP/2 is ideal for a variety of applications. Some common use cases include the following:
- gRPC services: build high-performance, low-latency microservices that communicate using gRPC .
- APIs with high throughput: reduce overhead for applications that require efficient handling of numerous small requests or need to push data to clients.
Set and update HTTP/2 end-to-end
Any configuration change leads to the creation of a new revision. Subsequent revisions will also automatically get this configuration setting unless you make explicit updates to change it.
You can specify the use of HTTP/2 end-to-end by using the Google Cloud console, Google Cloud CLI, or YAML when you create a new service or deploy a new revision :
Console
-
In the Google Cloud console, go to Cloud Run:
-
Select Servicesfrom the menu, and click Deploy containerto configure a new service. If you are configuring an existing service, click the service, then click Edit and deploy new revision.
-
If you are configuring a new service, fill out the initial service settings page, then click Container(s), Volumes, Networking, Securityto expand the service configuration page.
-
Click the Networkingtab.
- Select Enable http/2 connections
-
Click Createor Deploy.
gcloud
You can update a given service to use HTTP/2 by using the following command:
gcloud run services update SERVICE --use-http2
Replace SERVICE
with the name of your service.
You can also set your service to use HTTP/2 during deployment using the command:
gcloud run deploy --image IMAGE_URL --use-http2
Replace IMAGE_URL
with a reference to the container image, for
example, us-docker.pkg.dev/cloudrun/container/hello:latest
. If you use Artifact Registry,
the repository
REPO_NAME
must
already be created. The URL follows the format of LOCATION
-docker.pkg.dev/ PROJECT_ID
/ REPO_NAME
/ PATH
: TAG
.
YAML
-
If you are creating a new service, skip this step. If you are updating an existing service, download its YAML configuration :
gcloud run services describe SERVICE --format export > service.yaml
-
Update
portswith the nameh2candcontainerPortwith the port of your choice, as shown in the following example:apiVersion : serving.knative.dev/v1 kind : Service metadata : name : SERVICE spec : template : metadata : name : REVISION spec : containers : - image : IMAGE_URL ports : - name : h2c containerPort : 8080
Replace the following:
- SERVICE : the name of your Cloud Run service
- IMAGE_URL
: a reference to the container image, for
example,
us-docker.pkg.dev/cloudrun/container/hello:latest. If you use Artifact Registry, the repository REPO_NAME must already be created. The URL follows the format ofLOCATION -docker.pkg.dev/ PROJECT_ID / REPO_NAME / PATH : TAG. - REVISION
with a new revision name or delete it (if present). If you supply a new revision name, it must
meet the following criteria:
- Starts with
SERVICE - - Contains only lowercase letters, numbers and
- - Does not end with a
- - Does not exceed 63 characters
- Starts with
-
Create or update the service using the following command:
gcloud run services replace service.yaml
Terraform
To learn how to apply or remove a Terraform configuration, see Basic Terraform commands .
Add the following to agoogle_cloud_run_v2_service
resource in your Terraform configuration:If your container listens for HTTP requests on a port other than 8080
,
replace 8080
with that port number.
View http/2 settings
To view the current http/2 settings for your Cloud Run service:
Console
-
In the Google Cloud console, go to Cloud Run:
-
Click the service you are interested in to open the Service detailspage.
-
Click the Revisionstab.
-
In the details panel at the right, the http/2 setting is listed under the Networkingtab.
gcloud
-
Use the following command:
gcloud run services describe SERVICE
-
Locate the http/2 setting in the returned configuration.
Use HTTP/2 behind a load balancer
When configured to listen for HTTP/2, Cloud Run automatically handles the HTTP/2 or gRPC traffic arriving from the Application Load Balancer. No specific configuration is needed on the load balancer's backend service.
To configure Cloud Run to use HTTP/2 or gRPC, use one of the following methods:
- Set and update HTTP/2 end-to-end
- Configure an external Application Load Balancer with your Cloud Run service as the backend.
