This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Allow internal traffic to VM Instance from Cloud Run instances

Posted on 11-22-2022 04:49 AM
luca-goodiebox
New Member
Reply posted on --/--/---- --:-- AM

Hello,

I am running a PgBouncer service on a VM Instance on Compute Engine. This service needs to be accessed by code hosted on Cloud Run Services.

The problem is that I don't want the PgBouncer to be available outside of my GCP project. I have the PgB and the Cloud Run services on the same region and therefore I should think on the same subnet (right?). But if I try to connect using the internal IP of the PgB VM instance the connection fails. If I use the external IP it works, but then I can't create a firewall rule, as the Cloud Run instances have dynamic external IP's. 

Does anyone have a suggestion as what to do here?

0 4 1,602
Topic Labels
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
manishkjs
Staff
Reply posted on --/--/---- --:-- AM

Hello @luca-goodiebox 

CloudRun is a regional server-less service and does not run in a customer VPC. So, No! Your PgB VM instance and CloudRun app aren't on the same network. The CloudRun service is running out of a separate Google network (managed by GCP).

You are correct in evaluating an internal way of connecting to the CloudRun service as they are arguably more secure and faster.

Now, there are two different ways to establish connection (based on Ingress or Egress traffic):

  1. For traffic initiated from your VM in the VPC network to the CloudRun service, you need to deploy either a Private Google Access or a Private Service Connect in your VPC network. You can learn more about these different ways here
  2. On the contrary, if the request is being sent from the other way round i.e. the CloudRun serverless environment, and your VM only needs to send traffic back in response, you can use Serverless VPC Access. This official blog tells you the exact steps you have to perform to setup the serverless VPC connector in your environment.

Hope it helps & let us know how it goes!

Thanks.

 

 

Posted on --/--/---- --:-- AM
comaro
Staff
Reply posted on --/--/---- --:-- AM

I am running a PgBouncer service on a VM Instance on Compute Engine. This service needs to be accessed by code hosted on Cloud Run Services.

For this direction (Cloud Run -> VM in private VPC), you can use Configure Serverless VPC Access | Google Cloud.

Posted on --/--/---- --:-- AM
emanguy
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Cloud run operates on its own subnet outside any of your VPCs. If you want your cloud run code to be able to access private IPs within your VPC you'll need to create a "serverless VPC connector" as detailed here so they can proxy into the VPC's private IP space: https://cloud.google.com/vpc/docs/configure-serverless-vpc-access

0 Likes

Posted on --/--/---- --:-- AM
fagneracr
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

There are internal url to this.

fagneracr_0-1715273830972.png

If the direction are Cloud Run to VM, you can configure  access in :

fagneracr_1-1715273912507.png

--egress-settings=EGRESS_SETTINGSEgress settings controls what traffic is diverted through the VPC Access Connector resource. By default private-ranges-only will be used. EGRESS_SETTINGS must be one of: private-ranges-only, all.

in gen2,

 

 

 

Top Labels in this Space
Top Solution Authors
View all