This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Cloud Run : How to allow only specific IP to access the service endpoint URL

Posted on 09-06-2022 03:56 AM
swaroopchkl
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi,

I have 1 cloud run services, and I need to make the endpoint URL only allowed to access via

1) internal traffic and 

2) via my static IP address (VPN IP)

Note: I have made the below changes to the cloud run settings and now only internal traffic is happening, but I'm not able to make my static IP directly connect with the service.

current cloud run settings are mentioned below

swaroopchkl_0-1662461493612.png

Can anyone suggest possible ways to allow specific IP addresses to call the endpoint URL of the cloud run while public access is restricted.

Solved Solved
0 3 12.5K
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
glen_yu
Google Developer Expert
Google Developer Expert
In response to swaroopchkl
Reply posted on --/--/---- --:-- AM

This approach is correct.  Without the LB, you really have 2 options: public or internal.  If your source is from another VM or service that's internal to your project, then maybe internal is the better option for you, but otherwise it would be LB + Cloud Armor.

There are some other options, such as using Identity Aware Proxy (IAP), but you'd still need a LB and it's still in Preview mode for Cloud Run at the moment.

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
jybaek
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Internal traffic refers to inside the GCP infrastructure. Is the static IP the private IP provided in GCP?

If not, you have to find another way. An easy way is to set the ingress to "Allow all traffic". And set Authentication to "Require authentication". And use the token when calling the endpoint. You can call it like the example below. Only you will be able to use it.

---

curl -X get -H "Authorization: Bearer \
$(gcloud auth print-identity-token)" \
https://xxxxxxx-yyyyyyy.run.app
Jump to Solution

Posted on --/--/---- --:-- AM
swaroopchkl
Bronze 3
Bronze 3
In response to jybaek
Reply posted on --/--/---- --:-- AM

Hi jybaek,

I am currently using the below solution to restrict access to the cloud-run endpoint URL.

Current solution im using
In front of the cloud run im connecting one HTTP(S) load balancer and to allow access to specific IP addresses im using CloudArmor.

restric_access.png

Is this the approach correct ..!!!

Is there any other approach to restrict access to CloudRun ..???


Awaiting your valuable suggestions ...

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
glen_yu
Google Developer Expert
Google Developer Expert
In response to swaroopchkl
Reply posted on --/--/---- --:-- AM

This approach is correct.  Without the LB, you really have 2 options: public or internal.  If your source is from another VM or service that's internal to your project, then maybe internal is the better option for you, but otherwise it would be LB + Cloud Armor.

There are some other options, such as using Identity Aware Proxy (IAP), but you'd still need a LB and it's still in Preview mode for Cloud Run at the moment.

Jump to Solution
Top Solution Authors
View all