# Error: Cloud Run service cannot connect to external API: dial tcp: lookup api.example.com on 169.254.169.254:53: read udp 10.0.0.1:53: i/o timeout - **ID:** `cloud/gcp-cloud-run-service-egress-ip` - **Domain:** cloud - **Category:** network_error - **Error Code:** `DNSTimeout` - **Verification:** ai_generated - **Fix Rate:** 87% ## Root Cause The Cloud Run service is configured with VPC egress set to 'route all traffic through the VPC' but the VPC has no NAT gateway or Cloud NAT, so outbound traffic to the internet is blocked. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | Cloud Run (fully managed): gen2 | active | — | — | | VPC: auto-mode | active | — | — | | Cloud NAT: not configured | active | — | — | ## Workarounds 1. **Create a Cloud NAT router in the VPC: gcloud compute routers create nat-router --network=default --region=us-central1 && gcloud compute routers nats create nat-config --router=nat-router --region=us-central1 --nat-all-subnet-ip-ranges --auto-allocate-nat-external-ips** (95% success) ``` Create a Cloud NAT router in the VPC: gcloud compute routers create nat-router --network=default --region=us-central1 && gcloud compute routers nats create nat-config --router=nat-router --region=us-central1 --nat-all-subnet-ip-ranges --auto-allocate-nat-external-ips ``` 2. **Change the Cloud Run service's VPC egress setting to 'route only requests to private IPs through the VPC' (--vpc-egress=private-ranges-only) if it only needs access to internal resources.** (85% success) ``` Change the Cloud Run service's VPC egress setting to 'route only requests to private IPs through the VPC' (--vpc-egress=private-ranges-only) if it only needs access to internal resources. ``` 3. **Use Serverless VPC Access connector with a NAT gateway instead of direct VPC egress.** (90% success) ``` Use Serverless VPC Access connector with a NAT gateway instead of direct VPC egress. ``` ## Dead Ends - **** — The DNS timeout is due to network routing, not DNS server configuration; the VPC egress blocks all outbound traffic, including DNS queries to external servers. (90% fail) - **** — Disabling VPC egress may break connectivity to internal resources (e.g., Cloud SQL) that the service depends on, causing other errors. (70% fail) - **** — The timeout is a symptom of network unreachability, not a processing delay; longer timeout won't fix the missing NAT gateway. (95% fail)