Cloud Run GCS Fuse with egress = "ALL_TRAFFIC"

MesserOr · 03-04-2025 03:27 AM

We have a scenario where we need our Cloud Run services to be on ingress internal-only. We have service A that's trying to invoke service B. We also prefer using Direct VPC instead of VPC Connector (for obvious reasons). Service A is using GCS fuse with some private bucket. We have to use egress = "ALL_TRAFFIC" in order to route service A's HTTP request invocation to service B. The problem is, that when using egress in this way, the GCS Fuse doesn't work because the request to the external bucket service is being sent through the VPC.

Would appreciate any guidance or suggestions on how to resolve this issue. Achieving private connections between the services and also using GCS Fuse. What is the best approach?

mcbsalceda

Hi @MesserOr,

Welcome to Google Cloud Community!

It seems like you’re trying to set up private connections between Cloud Run services while also dealing with GCS Fuse and a private bucket. I think the key is making sure Service A can communicate with Service B internally, while also letting GCS Fuse access the bucket without routing through the VPC.

One potential solution could be to enable Private Google Access on the subnet where your Cloud Run services are. This might allow GCS to be accessed over Google’s internal network, which could prevent the GCS traffic from going through the VPC connector. That might help with the issue of the GCS Fuse request being routed incorrectly when you had the ALL_TRAFFIC egress setting.

For Service A and B’s internal communication, you’d probably still need the VPC connector. But, to avoid interfering with GCS Fuse, you might want to tweak the egress settings for the connector—routing internal traffic correctly while keeping Google services (like GCS) out of the VPC.

Just double-check that Service A’s service account has the correct permissions to access the GCS bucket, and it should work, I think. That way, you can keep things private while also letting GCS Fuse run smoothly.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

MesserOr

Hi, thanks for the reply!

So what you're saying, I can't avoid using VPC Connector with this scenario? I have enabled the Private Google Access setting on the VPC. But then, how do I access the private bucket via GCS Fuse? Because just turning it on didn't make GCS Fuse work again.

Thank you

knet

The VPC Connector is not needed for either communication with GCS (via FUSE or otherwise) or for Service-to-service communication.

I would have expected that enabling Private Google Access would fix the access issues to the GCS bucket. You say "private bucket"; are you perhaps getting an IAM error? Make sure the service account that your Cloud Run service runs as has access to the bucket. See here:

https://cloud.google.com/run/docs/configuring/services/cloud-storage-volume-mounts#required-roles

Service-to-service: I suggest reading this doc: https://cloud.google.com/run/docs/securing/private-networking If your 2 services are in the same project and connected to the same VPC Network, this setup should be straightforward. You might need to enable Private Google Access.