Network-related
How does Cloud Run access Lighthouse?
By default, Lighthouse (TencentCloud Lighthouse) and ordinary VPCs are not interconnected. To access Lighthouse over the internal network, complete the following configurations:
-
Associate VPC in the Lighthouse console:
- Go to the Lighthouse console → "Network → Associate VPC", select the VPC bound to Cloud Run, and allocate an IP range for the association.
- After the association is complete, Lighthouse instances will obtain internal IPs within the VPC.
-
Toggle "Public Network Access" off on the Cloud Run side:
- In "Service Details → Service Settings → Network Settings", the "Public Network Access" option is linked with the "Private Network" option. Turn on "Private Network" (VPC) first, and then you can turn off "Public Network Access".
- You must republish a new version for the change to take effect; only newly started instances will use the VPC internal network.
-
Configure firewall and routing:
- Allow the source VPC CIDR in the Lighthouse firewall.
- Make sure the routing table and security groups of the VPC bound to Cloud Run are properly configured.
-
Access via the internal IP:
- Use the Lighthouse instance's internal IP (not the public IP) in your service code.
Note: When "Public Network Access" is not turned off, because the Lighthouse internal IP range is not within the local VPC's own CIDR, traffic will be wrongly sent to the platform's public network, making it impossible to access Lighthouse via the internal network.
How does Cloud Run access services in VPCs connected via Peering Connection or CCN?
To access services in a peer VPC (including same-account, cross-account, and cross-region) connected via Peering Connection or Cloud Connect Network (CCN) over the internal network, complete the following configurations:
Network Topology
- Peering Connection (same/cross account):
- Cloud Connect Network (CCN, multi-account and multi-VPC):
1. Connect VPCs on the VPC side
- Peering Connection: Create a peering connection in the VPC console. Both VPCs' routing tables must add the peer CIDR pointing to the peering connection, and security groups must allow the peer CIDR.
- Cloud Connect Network (CCN): Create a CCN instance, associate each VPC with the CCN (cross-account associations require approval from the CCN owner), and configure security groups for resources in each VPC.
The CIDRs of the VPCs involved must not overlap; otherwise the peering connection / CCN association cannot be established.
2. Toggle "Public Network Access" off on the Cloud Run side
- First, bind the local VPC to the Cloud Run service.
- In "Service Details → Service Settings → Network Settings", the "Public Network Access" option is linked with the "Private Network" option. Turn on "Private Network" (VPC), and then you can turn off "Public Network Access".
- You must republish a new version for the change to take effect.
When "Public Network Access" is not turned off, Cloud Run only sends traffic with destination IPs within the bound VPC's CIDR to the VPC. Since the peer VPC's CIDR is outside the local VPC, traffic will be sent to the platform's public network, causing internal network connectivity to fail.
3. Verify access
- Use the internal IPs of the peer VPC resources in your service code.
- If connectivity still fails, troubleshoot in the following order:
- Whether "Public Network Access" has been turned off and a new version has been published;
- Whether both VPCs' routing tables have routes pointing to the peering connection / CCN for the peer CIDR;
- Whether the peer resources' security groups allow the CIDR of the VPC bound to Cloud Run;
- Whether the two VPCs' CIDRs overlap.
Important: "Turn off Public Network Access" controls the service's outbound traffic path. It does not affect the public domain name used to access the service from the outside.
For more information, refer to Intranet Connectivity and Public Egress.