This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Unable to route traffic through serverless connector

Posted on 07-26-2024 12:23 AM
dikshant-infra
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi,
Hope you all are doing great.
I have successfully setup a VPN between GCP and on-prem and asked the client to whitelist the subnet range I am using. I am not able to hit their private IPs.
Architecture: We have everything deployed in Cloud Run/Cloud Function and using serverless connector for egress traffic.
Now, if I enable egress traffic in Cloud Run to direct flow through VPC and select the subnet that is whitelisted then I am able to hit their private IP. I cannot go with this because Cloud Function does not offer to flow traffic through VPC. 
I am suspecting if this is related to connector IP range that it uses. 
Can it be the reason that connector uses IP range while flowing traffic through tunnel?
I am not sure how connector behaves. If this is the case, I can ask end customer to whitelist IP range being used by connector.
Any help will be appreciated.

 

1 2 431
Topic Labels
2 REPLIES 2

Posted on --/--/---- --:-- AM
poncejohn
Staff
Reply posted on --/--/---- --:-- AM

Hi @dikshant-infra,

Welcome to Google Cloud Community!

First check your VPN tunnel configuration. If you are using a policy-based tunnel (Classic VPN), make sure that Serverless Connector’s IP range (connector’s IP range /28 CIDR) is included in local and remote selectors

If you are using a Dynamic Routing BGP, make sure that the Serverless Connector’s IP range is being advertised. By default option, Cloud Router advertises all subnets visible to it, now if your router is advertising routes using custom routes, ensure that the Serverless Connector’s IP range is included as well. You can check this documentation on how to update the custom routes in your Cloud Router. Please note: if your on-premises network is located in a different region, you must change the VPC's dynamic routing mode to "global" so the router can learn the routes.

Also, check if your Cloud Function’s ingress setting is set to “Allow all traffic, to check this go to your Cloud Function click “Runtime,build,connection and security settings” then go to “connections” tab, check if the “Allow all traffic” is ticked under Ingress Settings. Check your Egress settings if your Serverless VPC connector is currently selected under “Network” selection and make sure that “Route all traffic through the VPC connector” is ticked. Ensure the required port is open in your on-prem firewall, and a service is listening on that port. These steps have been discussed in this discussion.

The behavior of the Serverless Connector is that the traffic that is being sent to the connector will originate from the subnet that is currently configured which is the /28 CIDR block. Adding this subnet to the on-premises firewall will ensure traffic flow.

I hope the above information is helpful.

Posted on --/--/---- --:-- AM
dikshant-infra
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

hi @poncejohn ,

Thanks for the response.
I am suspecting the same thing and asked customer using on-prem to whitelist serverless connector IP range.
It has been 2 weeks I have created a support ticket in GCP and they are not confident enough to say the same you described above. They ask me to whitelist NAT IP or some other IP that connector use for ingress.
Once again, thanks for assuring me that I am in right direction to debug.

Will let you know once I set this up successfully.

Top Labels in this Space
Top Solution Authors
View all