DNSTimeout cloud network_error ai_generated true

Error: Cloud Run service cannot connect to external API: dial tcp: lookup api.example.com on 169.254.169.254:53: read udp 10.0.0.1:53: i/o timeout

ID: cloud/gcp-cloud-run-service-egress-ip

Also available as: JSON · Markdown · 中文
87%Fix Rate
83%Confidence
1Evidence
2025-03-10First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
Cloud Run (fully managed): gen2 active
VPC: auto-mode active
Cloud NAT: not configured active

Root Cause

The Cloud Run service is configured with VPC egress set to 'route all traffic through the VPC' but the VPC has no NAT gateway or Cloud NAT, so outbound traffic to the internet is blocked.

generic

中文

Cloud Run 服务配置了 VPC 出站流量设置为“通过 VPC 路由所有流量”,但 VPC 没有 NAT 网关或 Cloud NAT,因此到互联网的出站流量被阻止。

Official Documentation

https://cloud.google.com/run/docs/configuring/vpc-direct-vpc

Workarounds

  1. 95% success Create a Cloud NAT router in the VPC: gcloud compute routers create nat-router --network=default --region=us-central1 && gcloud compute routers nats create nat-config --router=nat-router --region=us-central1 --nat-all-subnet-ip-ranges --auto-allocate-nat-external-ips 
    Create a Cloud NAT router in the VPC: gcloud compute routers create nat-router --network=default --region=us-central1 && gcloud compute routers nats create nat-config --router=nat-router --region=us-central1 --nat-all-subnet-ip-ranges --auto-allocate-nat-external-ips
  2. 85% success Change the Cloud Run service's VPC egress setting to 'route only requests to private IPs through the VPC' (--vpc-egress=private-ranges-only) if it only needs access to internal resources. 
    Change the Cloud Run service's VPC egress setting to 'route only requests to private IPs through the VPC' (--vpc-egress=private-ranges-only) if it only needs access to internal resources.
  3. 90% success Use Serverless VPC Access connector with a NAT gateway instead of direct VPC egress. 
    Use Serverless VPC Access connector with a NAT gateway instead of direct VPC egress.

中文步骤

  1. 在 VPC 中创建 Cloud NAT 路由器:gcloud compute routers create nat-router --network=default --region=us-central1 && gcloud compute routers nats create nat-config --router=nat-router --region=us-central1 --nat-all-subnet-ip-ranges --auto-allocate-nat-external-ips
  2. 如果 Cloud Run 服务只需要访问内部资源,将其 VPC 出站设置更改为“仅通过 VPC 路由到私有 IP 的请求”(--vpc-egress=private-ranges-only)。
  3. 使用 Serverless VPC Access 连接器配合 NAT 网关,而不是直接 VPC 出站。

Dead Ends

Common approaches that don't work:

  1. 90% fail

    The DNS timeout is due to network routing, not DNS server configuration; the VPC egress blocks all outbound traffic, including DNS queries to external servers.

  2. 70% fail

    Disabling VPC egress may break connectivity to internal resources (e.g., Cloud SQL) that the service depends on, causing other errors.

  3. 95% fail

    The timeout is a symptom of network unreachability, not a processing delay; longer timeout won't fix the missing NAT gateway.