Skip to main content
Supported Regions:上海

Public Egress

This page describes how Cloud Run service instances access the public internet.

Overview

The outbound traffic of a Cloud Run service instance goes through the platform's default egress by default (e.g., pulling external dependencies or calling third-party APIs). In Service Details -> Service Settings -> Network Settings, you can control this behavior:

  • Public Network Access (on): Outbound traffic from the service instance goes through the platform's default egress.
  • Public Network Access (off): Outbound traffic no longer goes through the platform's default egress. You need to configure VPC and NAT Gateway to enable public outbound access.

The "Public Network Access" and "Private Network" options are linked: before turning off "Public Network Access", you must first turn on "Private Network" and bind a VPC, otherwise it cannot be disabled.

"Disable Public Network" controls the service instance's outbound traffic path. It does not affect access to the service from the outside via the public domain. To restrict external access, please use the Custom Domain or the access control capabilities in Public Access.

Enable/Disable Public Network Access

You can enable/disable public network access when creating a service, on the service creation page.

You can also enable/disable it after service creation, in Service Details -> Service Settings -> Network Settings, by toggling the "Public Network Access" and "Private Network" switches.

tip

Before turning off "Public Network Access", make sure the "Private Network" switch is on and a VPC is bound; otherwise the change cannot be saved.

Use Cases

Keep Public Network Access on

  • The service needs to pull external dependency packages or resource files.
  • The service needs to call third-party public APIs (e.g., payment, maps, SMS).
  • The service needs to access databases or other cloud services on the public internet.

Turn off Public Network Access

When the business has stricter compliance or controllability requirements for outbound traffic, you can turn off "Public Network Access" so that outbound traffic goes through the VPC internal network:

  • Access Lighthouse services via the internal network.
  • Access services in another account's VPC via the internal network (connected through CCN or Peering Connection).

Notes

  • After turning off "Public Network Access", the service instance's outbound traffic will go through the VPC network. Make sure a NAT Gateway and routing rules are properly configured in the VPC, otherwise the service will not be able to access the public internet.
  • "Public Network Access" and "Private Network" must be configured together: turning off "Public Network Access" requires "Private Network" to be turned on first.
  • "Disable Public Network" and Public Access are two different concepts: the former controls the service's outbound traffic, while the latter controls the inbound access entry.
  • To use a fixed public egress IP, please refer to Fixed Public Egress IP.