The current design for an app environment I'm working on is ALB --> API Gateway --> multiple Cloud Functions gen2. Ideally, I would like to restrict ingress and egress traffic on these functions and I thought restricting ingress to "internal and cloud load balancing" would suffice, but it seems once things hit the APIGW traffic cannot reach the Functions. Likewise, setting that to "allow all traffic" while restricting all egress traffic to a VPC connector/VPC gives me a 500. I am able to keep the Functions workable by restricting egress to "private ranges only."

I'm curious if restricting ingress traffic with this architecture is even possible and, secondly, why restricting egress might give a 500. My guess, for the latter, is that the API is trying to make call somewhere that it can't.