Your app runs perfectly on a local Windows Server 2016 VM. Then you try deploying it on Cloud Run, and everything unravels. Permissions vanish, dependencies go missing, environment assumptions fail. Welcome to the classic “Windows meets container-native” drama.
Cloud Run excels at running stateless containers that scale fast and cost little when idle. Windows Server 2016, on the other hand, hosts legacy workloads that many teams still rely on. Marrying the two can modernize operations without rewriting your entire application. The trick is knowing what actually belongs inside the container and what’s better handled by the platform.
The short version: Cloud Run supports Windows containers indirectly through build workflows that produce OCI-compliant images from Windows Server 2016 bases. These images can then be lifted into Cloud Run by converting or replatforming with cross-build tools. You are not literally running a full Windows kernel in Google’s environment, but you can run workloads built for it if they respect container boundaries.
How do you connect Cloud Run and Windows Server 2016 logically?
Treat Windows Server as a build or staging layer. Use it to compile, package, or transform .NET Framework apps into container-ready services that Cloud Run can serve. Identity flows through OIDC while permissions map using OAuth claims or IAM roles. Focus on the identity handshake, not the OS semantics. When the container starts, everything it needs should already exist inside its filesystem or through secure secrets injection.
Quick answer
You cannot run a “pure” Windows Server 2016 instance in Cloud Run, but you can deploy images built from Windows-based apps by containerizing and translating them into platform-agnostic containers.
Best practices for the hybrid setup
- Keep builds reproducible with Dockerfiles that standardize dependencies.
- Use Artifact Registry to store cross-built images for predictable rollouts.
- Map RBAC once, and let automation enforce it. No manual logins.
- Rotate secrets with GCP Secret Manager or an external vault instead of inline config.
- Instrument logs early. Windows-style event logs rarely port directly.
When done right, your Windows workload starts acting like a modern serverless app: it scales when needed, sleeps when not, and cuts infrastructure overhead.
Platforms like hoop.dev turn those access rules into guardrails that enforce policy automatically. Instead of juggling credentials between Cloud Run and a Windows environment, you define access once. The platform verifies identity at every hop and logs it for audit, all without forcing engineers to think about tokens.
That small shift changes developer velocity. No more waiting for approval emails before restarting a service. Debugging becomes faster because identities and actions are traceable in real time. The build-test-deploy loop feels lighter, almost fun, even when dealing with legacy .NET code.
AI copilots also gain clarity in this model. When identities and permissions are consistently enforced, automated agents can execute safe remediation tasks or generate deployment configs without risking privilege misuse.
In the end, Cloud Run and Windows Server 2016 can cooperate—if you treat Windows as a packaging environment, not the runtime. The future looks less like “lift and shift” and more like “translate and automate.”
See an Environment Agnostic Identity-Aware Proxy in action with hoop.dev. Deploy it, connect your identity provider, and watch it protect your endpoints everywhere—live in minutes.