Solved: Connecting cloud run to compute engine

GeekyMechanic · 07-28-2023 01:09 PM

Hey, I'm trying to run a Cloud Run service and make it connect to a Compute Engine VM which runs postgres to save up on costs as Cloud SQL is a bit overkill for me at the moment. I managed to get my cloud run up and running with a VPC serverless connector and communicate to my Cloud SQL instance through its private IP. All are in the same region. But when I try to change my app to target the VM's private IP, I keep getting this exception

org.postgresql.util.PSQLException: Connection to 10.162.0.17:5432 refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connections.

Cloud Run does use the VPC connector for private IP's

Serverless connector is up and running :

I have created two firewall rules to ensure that the port and connection is allowed either from the region subnet's IP range or from the VPC serverless connector's IP range.

I have also conducted two connectivity tests to test both rules.

Postgres is running fine in the VM:

geekymechanic214@postgres-db:~$ sudo systemctl status postgresql@12-main
● postgresql@12-main.service - PostgreSQL Cluster 12-main
     Loaded: loaded (/lib/systemd/system/postgresql@.service; enabled-runtime; vendor preset: enabled)
     Active: active (running) since Fri 2023-07-28 13:56:35 UTC; 6h ago
    Process: 10190 ExecStart=/usr/bin/pg_ctlcluster --skip-systemctl-redirect 12-main start (code=exited, stat>
   Main PID: 10195 (postgres)
      Tasks: 7 (limit: 1134)
     Memory: 20.6M
     CGroup: /system.slice/system-postgresql.slice/postgresql@12-main.service
             ├─10195 /usr/lib/postgresql/12/bin/postgres -D /var/lib/postgresql/12/main -c config_file=/etc/po>
             ├─10197 postgres: 12/main: checkpointer
             ├─10198 postgres: 12/main: background writer
             ├─10199 postgres: 12/main: walwriter
             ├─10200 postgres: 12/main: autovacuum launcher
             ├─10201 postgres: 12/main: stats collector
             └─10202 postgres: 12/main: logical replication launcher

Jul 28 13:56:33 postgres-db systemd[1]: postgresql@12-main.service: Succeeded.
Jul 28 13:56:33 postgres-db systemd[1]: Stopped PostgreSQL Cluster 12-main.
Jul 28 13:56:33 postgres-db systemd[1]: Starting PostgreSQL Cluster 12-main...
Jul 28 13:56:35 postgres-db systemd[1]: Started PostgreSQL Cluster 12-main.

It is listening on the right port :

geekymechanic214@postgres-db:~$ sudo ss -tuln | grep 5432
tcp   LISTEN 0       244               0.0.0.0:5432        0.0.0.0:*            
tcp   LISTEN 0       244                  [::]:5432           [::]:*

pg_hba.conf :

# Database administrative login by Unix domain socket
local   all             postgres                                peer

# TYPE  DATABASE        USER            ADDRESS                 METHOD
host    all             all             0.0.0.0/0               password
# "local" is for Unix domain socket connections only
local   all             all                                     peer
# IPv4 local connections:
host    all             all             127.0.0.1/32            md5
# IPv6 local connections:
host    all             all             ::1/128                 md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
local   replication     all                                     peer
host    replication     all             127.0.0.1/32            md5
host    replication     all             ::1/128                 md5

postgresql.conf :

#------------------------------------------------------------------------------
# CONNECTIONS AND AUTHENTICATION
#------------------------------------------------------------------------------

# - Connection Settings -

listen_addresses = '*'          # what IP address(es) to listen on;
                                        # comma-separated list of addresses;
                                        # defaults to 'localhost'; use '*' for all
                                        # (change requires restart)
port = 5432                             # (change requires restart)
max_connections = 100                   # (change requires restart)
#superuser_reserved_connections = 3     # (change requires restart)
unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories

Ubuntu firewall isn't active :

geekymechanic214@postgres-db:~$ sudo ufw status
Status: inactive

I really don't know where to look anymore if anyone could lend a helping hand! 😅

Marvin_Lucero

Hi @GeekyMechanic ,

Thank you for providing the details of your setup. If the PostgreSQL server on your Compute Engine VM is running fine, listening on the right port, and you have allowed incoming connections from the appropriate sources through the firewall rules, the issue might be related to the VM's internal networking and the Cloud Run VPC Connector. You can consider checking the following:

1. VPC Connector Configuration
Make sure to review your Cloud Run VPC Connector settings. Check if it's correctly set up and connected to the specific Cloud Run service you want to use to connect to the Compute Engine VM. Also, confirm that you've chosen the right VPC network and subnet for the connector.

2. Private IP Range Conflict
Confirm that the IP address of your Compute Engine VM (10.162.0.17) does not conflict with any other resources within your VPC network.

3. Check PostgreSQL Configuration
Check the PostgreSQL configuration on the VM to make sure it's set to listen on the private IP, not just localhost. Also, make sure that PostgreSQL permits connections from the IP address range of the Cloud Run VPC Connector.

Also, from the error message indicated that the Ubuntu firewall is inactive, it may not be allowing incoming connections to the PostgreSQL service, even if you have allowed them in Google Cloud's firewall rules. To enable the UFW firewall on your Compute Engine VM, follow these steps:

1. Open a terminal or use an SSH client to connect to your Compute Engine VM.
2. Run sudo ufw status
3. If UFW is currently inactive, enable it using sudo ufw enable4. After enabling UFW, you'll need to configure the firewall rules to allow incoming connections on the PostgreSQL port (5432). Usesudo ufw allow 5432
5. If you need to restrict the source IP range for security reasons, you can specify the source IP or IP range when creating the rule. For example:
sudo ufw allow from <source_IP_or_range> to any port 54326. Verify that UFW is now active and that the rule for PostgreSQL is set correctly. Type in sudo ufw status
7. After making changes to UFW, you might need to restart the PostgreSQL service to ensure that it can accept incoming connections. Use sudo systemctl restart postgresql
After enabling UFW and permitting incoming connections on the PostgreSQL port, try connecting again from your Cloud Run service. If everything is configured properly, you should no longer encounter the "Connection refused" error, and your Cloud Run service will be able to connect to the PostgreSQL database on the Compute Engine VM

View solution in original post

Marvin_Lucero

Hi @GeekyMechanic ,

Thank you for providing the details of your setup. If the PostgreSQL server on your Compute Engine VM is running fine, listening on the right port, and you have allowed incoming connections from the appropriate sources through the firewall rules, the issue might be related to the VM's internal networking and the Cloud Run VPC Connector. You can consider checking the following:

1. VPC Connector Configuration
Make sure to review your Cloud Run VPC Connector settings. Check if it's correctly set up and connected to the specific Cloud Run service you want to use to connect to the Compute Engine VM. Also, confirm that you've chosen the right VPC network and subnet for the connector.

2. Private IP Range Conflict
Confirm that the IP address of your Compute Engine VM (10.162.0.17) does not conflict with any other resources within your VPC network.

3. Check PostgreSQL Configuration
Check the PostgreSQL configuration on the VM to make sure it's set to listen on the private IP, not just localhost. Also, make sure that PostgreSQL permits connections from the IP address range of the Cloud Run VPC Connector.

Also, from the error message indicated that the Ubuntu firewall is inactive, it may not be allowing incoming connections to the PostgreSQL service, even if you have allowed them in Google Cloud's firewall rules. To enable the UFW firewall on your Compute Engine VM, follow these steps:

1. Open a terminal or use an SSH client to connect to your Compute Engine VM.
2. Run sudo ufw status
3. If UFW is currently inactive, enable it using sudo ufw enable4. After enabling UFW, you'll need to configure the firewall rules to allow incoming connections on the PostgreSQL port (5432). Usesudo ufw allow 5432
5. If you need to restrict the source IP range for security reasons, you can specify the source IP or IP range when creating the rule. For example:
sudo ufw allow from <source_IP_or_range> to any port 54326. Verify that UFW is now active and that the rule for PostgreSQL is set correctly. Type in sudo ufw status
7. After making changes to UFW, you might need to restart the PostgreSQL service to ensure that it can accept incoming connections. Use sudo systemctl restart postgresql
After enabling UFW and permitting incoming connections on the PostgreSQL port, try connecting again from your Cloud Run service. If everything is configured properly, you should no longer encounter the "Connection refused" error, and your Cloud Run service will be able to connect to the PostgreSQL database on the Compute Engine VM

GeekyMechanic

Hi, thanks for your detailed response. I did create a new VM, check all the settings you mentionned and it worked. The issue was probably ufw in the vm!

jamesacedore12

Hey there,

I'm glad to hear you're exploring cost-effective solutions for your cloud infrastructure. At PSEE Solutions, we often assist clients with similar setups, so I can share some insights that might help you out.

It sounds like you're on the right track by using a VPC serverless connector to communicate within your private network. Here are a few steps and considerations to ensure your Cloud Run service can connect to your Compute Engine VM running PostgreSQL:

VPC Connector Configuration: Double-check that your VPC connector is correctly configured to allow traffic between your Cloud Run service and the Compute Engine VM. This includes ensuring that the connector's subnet range encompasses the private IP of your VM.
Firewall Rules: Ensure that your VPC network has the appropriate firewall rules to allow traffic on the port PostgreSQL is running on (default is 5432). This includes creating an ingress rule for the VPC connector subnet to communicate with the VM's IP.
VM Configuration: Verify that your Compute Engine VM is configured to accept connections from the VPC connector's IP range. This might involve adjusting the PostgreSQL pg_hba.conf file to include the connector's subnet range.
Service Account Permissions: Ensure that the service account associated with your Cloud Run service has the necessary permissions to access the Compute Engine VM. This typically involves granting the appropriate IAM roles for network and instance access.
Connection String: When updating your app's connection string to target the VM's private IP, make sure it includes all necessary details like the VM's IP address, port, database name, user, and password.

If you've checked all these configurations and are still encountering exceptions, please provide more details about the error message you're seeing. This will help us diagnose the issue more effectively.

Feel free to reach out if you need further assistance. At PSEE Solutions , we're here to help you optimize your cloud infrastructure and achieve cost savings without compromising performance.