Hey folks, I'm trying to set up API Gateway as main entry point to various backend services running on Cloud Run and I'm having a few questions that might make me reconsider the choice of technology, it is my understanding that:

• API Gateway cannot access CloudRun instances marked as "internal", meaning that they need to be publicly accessible and thus if someone were to stumble upon the CloudRun URL they could bypass the Gateway (defeating its purpose).
• API Gateway cannot be set up to have access / be within a VPC and access the services within that VPC.

Is it possible to have API Gateway access backend CloudRun services without going over the internet / without exposing the individual CloudRun public endpoints?

What happens in terms of pricing when someone accesses an endpoint via the Gateway? The Gateway accesses the backend over the internet so I assume there's egress traffic being charged from the CloudRun to the API Gateway then again from the API Gateway to the end client, meaning that we pay twice/double for a single request?

Thanks in advance.