This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Cloud Run - Unable to hit external public resource

Posted on 01-11-2024 12:13 PM
tt8
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I have a cloud run service that is trying to fetch data from an external public resource on a daily schedule.  I am using a serverless vpc connector, but only for private ranges.

run.googleapis.com/vpc-access-egress: private-ranges-only

Initially, this data request would fail intermittently, but as of late has been successful each day.
 
I've recently spun up an identically configured cloud-run service in a new gcp project.  The cloud run service is deployed via terraform and is identical to the service deployed in the original project.  The retrieval process fails every time I try it.  A connection cannot be established and the call times out.  Using curl on Cloud Shell the request succeeds every time.   I've also tried retrieving the resource using curl from a Cloud Function and once again the connection request times out.  Meanwhile, the original service deployed to my first environment continues to succeed daily.

Any ideas as to what I should be looking at here?  I'm at a loss for ideas.
 
1 4 873
Topic Labels
4 REPLIES 4

Posted on --/--/---- --:-- AM
djs_75
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

Have you verified that the new project's service account runing the service has Serverless VPC Access Service Agent Connect to a VPC network  |  Google Cloud

In the original project did you have any "network tags" applied for firewall rules and did they get implemented for the new service in the new project? 

Is it a Shared VPC ?

0 Likes

Posted on --/--/---- --:-- AM
tt8
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

It is using the default project VPC.

The service-account has the same roles in both projects.

There are no network tags, and no additional firewall rules aside from those that come with the default project VPC.

I've done further testing and I can hit other external resources, just this specific one.  So I am starting to assume something is up with this specific resource.

0 Likes

Posted on --/--/---- --:-- AM
djs_75
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

so it sounds like is self contained in the project - if it is in terraform - I'd run a destroy and rerun apply - I'd look for errors in log explorer to ensure all resources didn't have an issue when built, I'd check the health of the Serverless VPC as well.

My assumption are (coming from Direct VPC egress with a VPC network  |  Cloud Run Documentation  |  Google Cloud) :

the service account binding is in place:

gcloud projects add-iam-policy-binding PROJECT_ID \
--member "serviceAccount:service-PROJECT_NUMBER@serverless-robot-prod.iam.gserviceaccount.com" \
--role "roles/compute.networkUser"

running the gcloud cmd provides output as outlined originally:

gcloud beta run services describe SERVICE_NAME \
--region=REGION

the project is in one of the Direct VPC egress regions:

  • us-central1
  • us-east1
  • europe-west1
  • europe-west3
  • asia-northeast1

Posted on --/--/---- --:-- AM
tt8
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I have deleted the serverless vpc entirely to see if that had any effect.

I've also deleted and recreated the cloud run service.  I'll start tearing down and recreating more stuff.

0 Likes
Top Solution Authors
View all