{
  "id": "cloud/gcp-cloud-run-service-egress-ip",
  "signature": "Error: Cloud Run service cannot connect to external API: dial tcp: lookup api.example.com on 169.254.169.254:53: read udp 10.0.0.1:53: i/o timeout",
  "signature_zh": "错误：Cloud Run 服务无法连接到外部 API：dial tcp：查找 api.example.com 在 169.254.169.254:53：读取 udp 10.0.0.1:53：i/o 超时",
  "regex": "dial tcp: lookup .* on .*:53: read udp .*:53: i/o timeout",
  "domain": "cloud",
  "category": "network_error",
  "subcategory": null,
  "root_cause": "The Cloud Run service is configured with VPC egress set to 'route all traffic through the VPC' but the VPC has no NAT gateway or Cloud NAT, so outbound traffic to the internet is blocked.",
  "root_cause_type": "generic",
  "root_cause_zh": "Cloud Run 服务配置了 VPC 出站流量设置为“通过 VPC 路由所有流量”，但 VPC 没有 NAT 网关或 Cloud NAT，因此到互联网的出站流量被阻止。",
  "versions": [
    {
      "version": "Cloud Run (fully managed): gen2",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "VPC: auto-mode",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Cloud NAT: not configured",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "",
      "why_fails": "The DNS timeout is due to network routing, not DNS server configuration; the VPC egress blocks all outbound traffic, including DNS queries to external servers.",
      "fail_rate": 0.9,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "Disabling VPC egress may break connectivity to internal resources (e.g., Cloud SQL) that the service depends on, causing other errors.",
      "fail_rate": 0.7,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "The timeout is a symptom of network unreachability, not a processing delay; longer timeout won't fix the missing NAT gateway.",
      "fail_rate": 0.95,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Create a Cloud NAT router in the VPC: gcloud compute routers create nat-router --network=default --region=us-central1 && gcloud compute routers nats create nat-config --router=nat-router --region=us-central1 --nat-all-subnet-ip-ranges --auto-allocate-nat-external-ips",
      "success_rate": 0.95,
      "how": "Create a Cloud NAT router in the VPC: gcloud compute routers create nat-router --network=default --region=us-central1 && gcloud compute routers nats create nat-config --router=nat-router --region=us-central1 --nat-all-subnet-ip-ranges --auto-allocate-nat-external-ips",
      "condition": "",
      "sources": []
    },
    {
      "action": "Change the Cloud Run service's VPC egress setting to 'route only requests to private IPs through the VPC' (--vpc-egress=private-ranges-only) if it only needs access to internal resources.",
      "success_rate": 0.85,
      "how": "Change the Cloud Run service's VPC egress setting to 'route only requests to private IPs through the VPC' (--vpc-egress=private-ranges-only) if it only needs access to internal resources.",
      "condition": "",
      "sources": []
    },
    {
      "action": "Use Serverless VPC Access connector with a NAT gateway instead of direct VPC egress.",
      "success_rate": 0.9,
      "how": "Use Serverless VPC Access connector with a NAT gateway instead of direct VPC egress.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "在 VPC 中创建 Cloud NAT 路由器：gcloud compute routers create nat-router --network=default --region=us-central1 && gcloud compute routers nats create nat-config --router=nat-router --region=us-central1 --nat-all-subnet-ip-ranges --auto-allocate-nat-external-ips",
    "如果 Cloud Run 服务只需要访问内部资源，将其 VPC 出站设置更改为“仅通过 VPC 路由到私有 IP 的请求”（--vpc-egress=private-ranges-only）。",
    "使用 Serverless VPC Access 连接器配合 NAT 网关，而不是直接 VPC 出站。"
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://cloud.google.com/run/docs/configuring/vpc-direct-vpc",
  "official_doc_section": null,
  "error_code": "DNSTimeout",
  "verification_tier": "ai_generated",
  "confidence": 0.83,
  "fix_success_rate": 0.87,
  "resolvable": "true",
  "first_seen": "2025-03-10",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}