Solved: Re: Accessing internal Cloud Run service from peer...

MH1169 · 01-05-2022 09:52 PM

Hi,

I have 2 projects (ProjectA and ProjectB) that have VPCs peered.

I have deployed a Cloud Run service in ProjectA and have set its Ingress to "Allow internal traffic and traffic from Cloud Load Balancing". I'm able to access the CR service from within ProjectA without any issues as expected.

However, I'm not able to access CR service from ProjectB even though VPC peering is done.

Is there a way to enable this connectivity?

Thanks.

abdelfettah

Serverless VPC Access would not work here. It's a feature to access VPC resources (VM's, and LoadBalancers) from a Serverless product. What you are trying to do is the other way around, access Cloud Run from a VPC resource that sits on a different VPC. I'm understanding this correctly ?

Regarding the options glen_yu highlited.

Option#1 will not work as the LB has to be public which is equivalent to setting the ingress settings on you CR service to accept all traffic.

Option# VPC Service Controls is a security mechanism not a routing one.

Unfortunately i don't see a straight solution here, the only thing i could think about is wait for Cloud Run to support Internal LoadBalancer (aka ILB) (it's in preview, for now we only support Public LoadBalancers) and than you can put an ILB in front you CR service and access through peering https://cloud.google.com/load-balancing/docs/internal-lb-and-other-networks

View solution in original post

glen_yu

Peering is between networks. Cloud Run is a serverless, so while it does run on a network somewhere, that network (the the resources CR uses) is fully managed by Google. So while you may have peered 2 networks together, CR is running on neither of them.

As for your question...there isn't a simple answer that will satisfy your exact needs, but the 2 most common options are:

1) "internal traffic and cloud load balancer" option (which you're already using), attach an LB to it and outfit it to use IAP so that users outside of your project has to authenticate (and you can specify which users/groups can authenticate)

2) this option I've only read about but never tried because it's quite complicated, but it involves setting up VPC Service Control (which requires an org as it's typically a security feature geared towards enterprises so it's probably overkill for your use case anyway).

There's also potentially a 3rd option that looks promising but I've also never tried. Perhaps you can give Serverless VPC Access a look -- it might be the bridge you need to connect Cloud Run with the VPC in Project A that you peered.

MH1169

Hi Glen,

Thanks for the reply. For now, it seems option 1 is the most suitable as other options require setting up of Shared VPC. Having said that, wouldn't attaching an LB to the CR service be similar to exposing the CR service to all traffic?

Thanks.

abdelfettah

Serverless VPC Access would not work here. It's a feature to access VPC resources (VM's, and LoadBalancers) from a Serverless product. What you are trying to do is the other way around, access Cloud Run from a VPC resource that sits on a different VPC. I'm understanding this correctly ?

Regarding the options glen_yu highlited.

Option#1 will not work as the LB has to be public which is equivalent to setting the ingress settings on you CR service to accept all traffic.

Option# VPC Service Controls is a security mechanism not a routing one.

Unfortunately i don't see a straight solution here, the only thing i could think about is wait for Cloud Run to support Internal LoadBalancer (aka ILB) (it's in preview, for now we only support Public LoadBalancers) and than you can put an ILB in front you CR service and access through peering https://cloud.google.com/load-balancing/docs/internal-lb-and-other-networks

glen_yu

Ah -- you're right. Serverless VPC Access only goes one way. Actually one option that could easily solve this was if you could front Cloud Run with an Internal HTTP LB and then you can publish the service via Private Service Connect and create a service attachment to another . That's actually what I looked into first, but you can only create internal HTTPS LBs to VMs/Instance Groups 😞

EDIT: you are correct in that VPC Service Controls is a security mechanism and not a routing one, but could you not put a perimeter around your Project A (where Cloud Run lives) and authorize only Project B to ingress? It's not an ideal solution but technically it should work.

MH1169

@abdelfettahAny idea when internal LB will be GA?

@glen_yuVPC Service Controls require org permissions; which is something being worked out right now. Will just have to fallback to IP whitelisting for the time being 😞

abdelfettah

@MH1169 no idea, i would say few months from now

koen

HI @abdelfettah do you already know more about when ILB will support Cloud Run?

Thanks!

abdelfettah

It's in Closed Alpha for now. I would say maybe 6 months or a bit more.

abdelfettah

@MH1169 If you are interested in the preview for Internal LoadBalancer for Cloud Run you can sign up here https://docs.google.com/forms/d/e/1FAIpQLScjxtcD6P2ycRgnOoZrex2L3xEiE93YweQgx_Nd3QBS4LCoqA/viewform?...

Accessing internal Cloud Run service from peered VPC