The moment you try to run Windows workloads in a container-first environment, reality hits. You want the flexibility of Cloud Run but need the power and compatibility of Windows Server 2022. On paper, they look like they live in different worlds. In practice, they can run the same app if you respect what each system is good at.
Cloud Run handles stateless containers with impeccable isolation and scaling logic. Windows Server 2022 remains the foundation for enterprise-grade workloads that depend on .NET Framework, COM components, or legacy integrations. Combined, they offer a bridge between your heritage stack and modern cloud automation. The key is understanding how identity, permissions, and network boundaries fit together.
Running Windows Server 2022 on Cloud Run is not about pretending Linux and Windows are identical. It is about encapsulating Windows-based services using container images, then exposing them through Cloud Run’s managed environment. Technically, this works best when you use Windows Server Core or Nano Server images built with container support. Those images define the runtime layer, and Cloud Run gives them a secure traffic surface with autoscaling baked in.
Integration workflow:
Cloud Run runs containers, not full VMs. So the right move is to use Cloud Build or Docker to create Windows containers from your existing workloads. Push the image to Artifact Registry, then deploy via gcloud or an automated pipeline. For identity, link Cloud Run services with your IAM provider using OIDC or workload identity federation. Permissions flow through Google Cloud IAM and map neatly to Windows ACLs if you design access at the service account level. Keep your secrets out of the image by connecting Secret Manager to the runtime environment.
Best practices:
- Use ephemeral storage only, and persist data in mounted services like Cloud SQL or Filestore.
- Rotate credentials at runtime using automation, not manual SSH sessions.
- Collect telemetry from Windows event logs by exporting them through OpenTelemetry-compatible collectors.
- Align network policies with both Cloud Run’s egress rules and Windows Defender Firewall for parity.
Benefits of this setup:
- Bring legacy Windows workloads onto modern serverless infrastructure.
- Cut server patching down to zero since Cloud Run handles host updates.
- Improve compliance posture with IAM-based isolation and SOC 2–ready audit trails.
- Gain dynamic scaling for applications that previously required static Windows VMs.
- Reduce operational toil by integrating CI/CD directly into image updates.
Developers love it because it keeps their workflow simple. No more waiting for VM provisioning or manual patch cycles. They push code, watch containers build, and see Windows apps spin up under Cloud Run’s autoscaler within seconds. Developer velocity climbs, and debugging happens faster since logs centralize in Cloud Logging.
Platforms like hoop.dev turn those access rules into guardrails that enforce policy automatically. Instead of wiring IAM, OIDC, and network tags by hand, hoop.dev automates identity-aware access across environments. It makes your hybrid Cloud Run plus Windows Server 2022 stack feel unified.
Quick answer: How do you run Windows Server 2022 on Cloud Run?
You package your Windows application as a container image built on Windows Server 2022, push it to a registry, and deploy through Cloud Run’s managed runtime. Identity maps via IAM and workload federation, giving secure, repeatable access without manual setup.
When AI copilots or automation agents touch these workloads, the same identity layer ensures prompts and commands stay contained. You get faster response cycles without handing over sensitive system-level permissions. That is how machine-assisted operations stay compliant.
Cloud Run and Windows Server 2022 together create a low-friction bridge for teams migrating from traditional infrastructure to serverless execution, keeping the best of both worlds.
See an Environment Agnostic Identity-Aware Proxy in action with hoop.dev. Deploy it, connect your identity provider, and watch it protect your endpoints everywhere—live in minutes.