This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Questions about API Gateway

Posted on 04-02-2024 06:57 AM
Elkasitu
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hey folks, I'm trying to set up API Gateway as main entry point to various backend services running on Cloud Run and I'm having a few questions that might make me reconsider the choice of technology, it is my understanding that:

  • API Gateway cannot access CloudRun instances marked as "internal", meaning that they need to be publicly accessible and thus if someone were to stumble upon the CloudRun URL they could bypass the Gateway (defeating its purpose).
  • API Gateway cannot be set up to have access / be within a VPC and access the services within that VPC.

Is it possible to have API Gateway access backend CloudRun services without going over the internet / without exposing the individual CloudRun public endpoints?

What happens in terms of pricing when someone accesses an endpoint via the Gateway? The Gateway accesses the backend over the internet so I assume there's egress traffic being charged from the CloudRun to the API Gateway then again from the API Gateway to the end client, meaning that we pay twice/double for a single request?

Thanks in advance.

3 2 1,158
Topic Labels
2 REPLIES 2

Posted on --/--/---- --:-- AM
robertcarlos
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Hi @Elkasitu,

Welcome to Google Cloud Community!

As of this writing, this feature is not yet available based on this documentation on receiving requests from other Google Cloud services.

  • If your chosen Google Cloud service is not able to access Cloud Run services that have ingress set to internal, note that many support authenticating to Cloud Run, such as Pub/Sub (supports both internal and authentication), API Gateway, and Dialogflow CX. Depending on your security needs, it might be sufficient for the destination Cloud Run service to require authentication instead of "internal" ingress.

You may also check this existing feature request that you may find helpful.

In terms of pricing, you may refer to this pricing calculator or to our Cloud Billing support for additional information with regards your preferred configuration.

Hope this helps.

Posted on --/--/---- --:-- AM
zadm
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Do we have a workaround for this security concern ? 
How we can expose our cloud run service to be accessibble only via the API gateway ? 

Top Labels in this Space
Top Solution Authors
View all