Cloud Run functions controls for generative AI use cases

This document includes the best practices and guidelines for Cloud Run functions when running generative AI workloads on Google Cloud. Use Cloud Run functions with Vertex AI to automate tasks, serve predictions, trigger training jobs, integrate with other services, and build event-driven ML pipelines.

Consider the following use cases for Cloud Run functions with Vertex AI:

• Ability to preprocess and post-process data: Cloud Run functions can preprocess data before sending it to your Vertex AI model for training or prediction. For example, a function can clean and normalize data, or extract features from it. Similarly, Cloud Run functions can post-process the output of your Vertex AI model. For example, a function can format the output data, or to send it to another service for further analysis.
• Automatic triggers for Vertex AI training jobs: To automate the training of Vertex AI models, you can trigger Cloud Run functions using events from various Google Cloud services, such as Cloud Storage, Pub/Sub, and Cloud Scheduler. For example, you can create a function that is triggered when a new file is uploaded to Cloud Storage. This function can start a Vertex AI training job to train your model on the new data.
• Ability to serve predictions: Cloud Run functions can serve predictions from your Vertex AI models, letting you create an API endpoint for your model without having to manage any infrastructure. For example, you can write a function that takes an image as input, and outputs a prediction from your Vertex AI image classification model. You can then deploy this function as an HTTP API endpoint.
• Event-driven ML workflows: You can use Cloud Run functions to build event-driven ML workflows. For example, a function can trigger a Vertex AI prediction job when a new record is added to a Pub/Sub topic. This function lets you process data in real time and take action based on your model predictions.
• Integration with other services: You can integrate Cloud Run functions with other Google Cloud services, such as Cloud Storage, BigQuery, and Cloud Firestore. Integration lets you build complex ML pipelines that connect different services together.
• Cost scaling: Cloud Run functions lets you only pay for the resources that your function uses while it's running. Additionally, Cloud Run functions are automatically scaled to meet demand, so that you maintain appropriate resources during peak traffic.

Required Cloud Run functions controls

The following controls are strongly recommended when using Cloud Run functions.

Require VPC connector for Cloud Run functions

Google control ID	CF-CO-4.4
Category	Required
Description	The cloudfunctions.requireVPCConnector boolean constraint requires that administrators specify a Serverless VPC Access connector when they deploy a Cloud Run function. When enforced, functions must specify a connector.
Applicable products	Organization Policy Service Cloud Run functions
Path	constraints/cloudfunctions.requireVPCConnector
Operator	=
Value	True
Type	Boolean
Related NIST-800-53 controls	SC-7 SC-8
Related CRI profile controls	PR.AC-5.1 PR.AC-5.2 PR.DS-2.1 PR.DS-2.2 PR.DS-5.1 PR.PT-4.1 DE.CM-1.1 DE.CM-1.2 DE.CM-1.3 DE.CM-1.4
Related information	Connect to a VPC network

What's next

• Review Cloud Storage controls.

• See more Google Cloud security best practices and guidelines for generative AI workloads.