Secure n8n Deployment on Google Cloud Run with IAP and Direct VPC Egress

Deploying n8n on Google Cloud Run with Identity Aware Proxy (IAP) and Direct VPC Egress creates a secure, cost-efficient serverless automation platform that can be set up in minutes. This setup builds upon the official n8n Cloud Run documentation and extends it with production-grade security features for enterprise environments.

Architecture Overview

The deployment follows the n8n durable mode setup with critical security enhancements. Instead of exposing the Cloud Run service publicly, Identity Aware Proxy ensures only authenticated users from your organization can access the endpoint. The PostgreSQL database remains completely isolated from the internet by using only private IP addresses, enabled through Direct VPC Egress.

Securing Database Access with Direct VPC Egress

The standard n8n Cloud Run configuration uses a PostgreSQL database with a public IP address. For production environments, this presents an unnecessary security risk. The solution is Direct VPC Egress, which allows Cloud Run instances to communicate directly with VPC resources over private IP addresses.​

Direct VPC egress offers significant advantages over the traditional Serverless VPC Access connector approach. It delivers lower latency and higher throughput by using a direct network path instead of connector instances. Additionally, you only pay for network egress traffic without any compute charges for connector VMs.​

The deployment command demonstrates the configuration:

Copy to Clipboard

The –vpc-egress=private-ranges-only parameter ensures that only traffic to private IP ranges goes through the VPC network. The environment variable CLOUDSQL_AUTH_PROXY_PRIVATE_IP=true configures the Cloud SQL Auth Proxy to use exclusively private IP addresses.

Identity Aware Proxy for Zero-Trust Security

Combining –no-allow-unauthenticated with –iap activates authentication through Google Cloud Identity, implementing a zero-trust security model. Every request must be validated by IAP before reaching n8n, regardless of the user’s location.

IAP provides several key benefits for Cloud Run deployments:​

  • Zero-trust security: Verifies every user and device attempting access, moving beyond traditional network-based security​
  • Reduced VPN dependency: Users can securely access Cloud Run services from anywhere after authentication​
  • Detailed audit trails: Records all access attempts for security monitoring and compliance​
  • Simplified architecture: No need for complex load balancer configurations or serverless NEGs​

Grant domain-wide access (here with our domain codeitlabs.com) with:

Copy to Clipboard

This approach leverages existing identity infrastructure and eliminates the need for separate authentication mechanisms.

Integrating Google Vertex AI with Gemini

Since n8n currently doesn’t support API key-based authentication for Vertex AI, service account authentication is required. Here’s the configuration process:​

  1. Create a service account with the Vertex AI Platform Express User role​
  2. If set: Temporarily disable the organization policy iam.disableServiceAccountKeyCreation to generate a JSON key​ – generally not a good idea, make sure the key is stored at a safe place (if at all) and has only the beforementioned role
  3. Create the JSON key for the service account​
  4. Re-enable the organization policy​

Configure the service account and key in n8n’s Google Vertex Chat credentials​

This method enables secure integration of Gemini models into your n8n workflows.​

Benefits of This Cloud Run Setup

The serverless architecture delivers compelling advantages:​

  • Rapid deployment: Complete setup in minutes instead of hours​
  • Pay-per-use pricing: Cloud Run charges only for actual compute time with no idle costs​
  • Minimal database costs: PostgreSQL instance costs only a few cents per day​
  • Automatic scaling: Scales based on incoming requests, including scaling to zero​
  • Enhanced security: Private network communication combined with IAP authentication protects sensitive workflows​
  • No connector overhead: Direct VPC egress eliminates compute charges for VPC connectivity​

This configuration combines best practices for security, performance, and cost efficiency, making it ideal for production n8n deployments on Google Cloud.​