错误:Cloud Run 服务无法连接到外部 API:dial tcp:查找 api.example.com 在 169.254.169.254:53:读取 udp 10.0.0.1:53:i/o 超时
Error: Cloud Run service cannot connect to external API: dial tcp: lookup api.example.com on 169.254.169.254:53: read udp 10.0.0.1:53: i/o timeout
ID: cloud/gcp-cloud-run-service-egress-ip
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| Cloud Run (fully managed): gen2 | active | — | — | — |
| VPC: auto-mode | active | — | — | — |
| Cloud NAT: not configured | active | — | — | — |
根因分析
Cloud Run 服务配置了 VPC 出站流量设置为“通过 VPC 路由所有流量”,但 VPC 没有 NAT 网关或 Cloud NAT,因此到互联网的出站流量被阻止。
English
The Cloud Run service is configured with VPC egress set to 'route all traffic through the VPC' but the VPC has no NAT gateway or Cloud NAT, so outbound traffic to the internet is blocked.
官方文档
https://cloud.google.com/run/docs/configuring/vpc-direct-vpc解决方案
-
在 VPC 中创建 Cloud NAT 路由器:gcloud compute routers create nat-router --network=default --region=us-central1 && gcloud compute routers nats create nat-config --router=nat-router --region=us-central1 --nat-all-subnet-ip-ranges --auto-allocate-nat-external-ips
-
如果 Cloud Run 服务只需要访问内部资源,将其 VPC 出站设置更改为“仅通过 VPC 路由到私有 IP 的请求”(--vpc-egress=private-ranges-only)。
-
使用 Serverless VPC Access 连接器配合 NAT 网关,而不是直接 VPC 出站。
无效尝试
常见但无效的做法:
-
90% 失败
The DNS timeout is due to network routing, not DNS server configuration; the VPC egress blocks all outbound traffic, including DNS queries to external servers.
-
70% 失败
Disabling VPC egress may break connectivity to internal resources (e.g., Cloud SQL) that the service depends on, causing other errors.
-
95% 失败
The timeout is a symptom of network unreachability, not a processing delay; longer timeout won't fix the missing NAT gateway.