Introducing a new Eventarc destination - internal HTTP endpoint in a VPC network


Eventarc helps users build event-driven architectures without having to implement, customize, or maintain the underlying infrastructure.

Eventarc has added support (in public preview) for delivering events to internal HTTP endpoints in a Virtual Private Cloud (VPC) network. Customers, especially large enterprises, often run compute (typically GKE or GCE) on VPC-private IPs, often behind internal load balancers. This launch will enable these services to consume Eventarc events.

Internal HTTP endpoints can be an internal IP address or fully qualified DNS name (FQDN) for any HTTP endpoint in the VPC network. Examples of destinations that can be targeted via the internal HTTP endpoints include Compute Engine VMs with internal IPs, services fronted by an L7 Internal Load Balancer, Private Service Connect endpoints, Google Kubernetes Engine Ingress, Google Kubernetes Engine Services, Cloud Run behind an internal Application Load Balancer and any destinations registered with Cloud DNS via DNS record.

Create a trigger to an internal HTTP endpoint

To create an Eventarc trigger to an internal HTTP endpoint hosted in a VPC network subnet, you need to go through a couple of steps.

First, you need to create a firewall rule that allows ingress traffic to your internal HTTP endpoint (in this case 80):

gcloud compute firewall-rules create $RULE_NAME \
    --network=projects/$PROJECT_ID/global/networks/$NETWORK_NAME \
    --direction=INGRESS \
    --priority=1000 \
    --action=ALLOW \
    --source-ranges= \

Note that --source-ranges is optional and if provided, it needs to be the same as what’s used in the subnet. It enables the firewall rule to specifically capture the ranges where Eventarc delivery traffic is coming from via the PSC network attachment.

Second, you need to create a network attachment. A network attachment is a regional resource that lets you explicitly authorize Eventarc to connect to a VPC network. Eventarc uses the network attachment to establish a connection to the internal HTTP endpoint hosted in a VPC network.

gcloud compute network-attachments create $ATTACHMENT_NAME \
    --region=$REGION \
    --subnets=$SUBNET_NAME \

Now, you can create an Eventarc trigger to the internal HTTP endpoint (running on a Compute Engine VM in this instance) with the network attachment:

gcloud eventarc triggers create $TRIGGER_NAME \
    --location=$REGION \
--destination-http-endpoint-uri=http://$INSTANCE_NAME.$ZONE.c.PROJECT_ID.internal \
    --network-attachment="projects/$PROJECT_ID/regions/$REGION/networkAttachments/$ATTACHMENT_NAME" \
    --event-filters="" \

That’s it! Now, your internal Compute Engine VM can receive Pub/Sub events from Eventarc. For an end-to-end tutorial, check out Receive Pub/Sub events at an internal HTTP endpoint in a VPC network.


There are some limitations you need to be aware of:

  • You can’t create more than one Eventarc trigger for the same DNS name. This will be resolved soon.
  • There is a limit of 100 Eventarc triggers for internal HTTP endpoints per project.
  • Only the following Eventarc trigger locations are supported (but more regions are coming soon): asia-east1, europe-north1, europe-west1, us-central1, us-east1. More regions are coming soon.

Learn more

To learn more, check out the official documentations and tutorials:

As always, feel free to reach out to me on Twitter @meteatamel for feedback and questions.

See also