The simplest way to make Cloud Run Google Compute Engine work like it should

Your container app runs like a dream in Cloud Run until it needs to talk to something heavier. Maybe a background job on Google Compute Engine. Maybe a model server chewing through GPU cycles. That bridge between Cloud Run and GCE is where most teams either overspend, oversecure, or both.

Cloud Run gives you the fully managed, autoscaling environment everyone loves. No servers, no sleepless nights. Google Compute Engine gives you the power to run stateful or long-lived workloads. Pair them and you get a split brain of convenience and raw control. The trick is keeping identity and network boundaries tight while the two talk.

The integration hinges on identity federation. Cloud Run requests can authenticate to GCE using a service account bound with the right IAM permissions. That means each call carries a short-lived token, no shared secrets, and no SSH keys left on forgotten disks. When your Compute Engine instance returns results, it authenticates back through the same trust chain. The entire thing rides on standard OIDC principles, so it plays nicely with other identity providers like Okta or AWS IAM if you need hybrid access.

If your jobs need to trigger over HTTPS, use a private internal IP or Identity-Aware Proxy to gate access. For batch jobs, Pub/Sub or Cloud Tasks can hand off work directly to GCE endpoints, enforcing retry logic and rate limits automatically. Auditing stays clean because every invocation lands in Cloud Logging under a single trace.

Best practices to keep the bridge clean

• Assign minimal required IAM roles to the Cloud Run service account.
• Rotate tokens frequently, ideally every runtime invocation.
• Keep secrets in Secret Manager, never environment variables.
• Use VPC connectors only when your GCE instance must stay private.
• Monitor latency between regions; cross-zone hops can add quiet costs.

When done right, the Cloud Run to GCE workflow feels automatic. Developers push a container, invoke a task, and compute nodes spin to life only when called. No extra approvals, no ticket queues, no shouting across Slack for firewall tweaks.

Platforms like hoop.dev turn those access rules into guardrails that enforce policy automatically. Instead of manually patching IAM and networking for every service, you declare intent once and let the platform mediate access on your behalf. It keeps the logs sharp and compliance officers calm.

How do I connect Cloud Run to Google Compute Engine?

Grant the Cloud Run service account roles/compute.instanceAdmin.v1 and allow it to generate identity tokens. Then call your internal endpoint from Cloud Run with token-based authentication. That one step ties the two securely without manual SSH or static IPs.

Why pick this pairing over alternatives?

Because you get autoscaling app logic on Cloud Run and dedicated horsepower on GCE, both managed under one IAM roof. It’s fast to deploy, simple to audit, and resilient under load.

Fast, precise, and human-friendly—that’s how Cloud Run and Google Compute Engine should work together.

See an Environment Agnostic Identity-Aware Proxy in action with hoop.dev. Deploy it, connect your identity provider, and watch it protect your endpoints everywhere—live in minutes.