Solved: Re: Cloud Run ingress setting

dumpalap · 01-23-2022 06:07 PM

Hi Team,

I have a cloud run deployed in Project A with an Ingress setting as "Allow internal traffic and traffic from Cloud Load Balancing"

Creates a HTTPS load balancer in the same Project A as a backend with network end point group. Updated my DNS to point to the public IP of this load balancer.

I am getting access forbidden issue when I access the DNS. I expect it to work as my cloud run and load balancer are in same project.

Is my expectation in correct on this ?

Regards,

Pradeep

abdelfettah

Your understanding is correct. That Ingress setting means the Cloud Run Service will be accessible from your VPC and from a LoadBalancer that you setup.

To be honest it's hard to diagnose what could be the issue. Which guide did you follow to setup the LoadBalancer ?

PS: Cloud run with LoadBalancer only work if the LoadBalancer is in the same project as the Cloud Run Service.

View solution in original post

abdelfettah

Is your Cloud Run Service configured to accept Unauthenticated calls ? access forbidden seems like an authz issue not a DNS resolution one

dumpalap

Hi Team,

Thanks for your response on this. The cloud is set to Authentication as "Allow unauthenticated invocations" . Please the attachment.

If I set the ingress as "Allow all traffic", I am able to access using cloud run url and from DNS thru load balancer.

If I set the ingress as "Allow internal traffic and traffic from Cloud Load Balancing", I am unable to access cloud thru url and with load balancer. (but able to hit the cloud url if I access from VM which is on VPC in the same project where cloud run deployed).

So what I am not clear is with the "Allow internal traffic and traffic from Cloud Load Balancing" ingress setting. what is mean by a Cloud Load Balancing ?

my assumption is, if we have set-up a HTTPS load balancer (HTTP(S) (classic)) with NEG backend for above cloud run, it should work as the request comes form Load Balancer (with the definition of above ingress setting).

But its not working like this, I have tried from a Load balancer set-up in same project where cloud run deployed as well a load balancer sits in another GCP project.

Please let me know If I am missing something on this setting.

Thank you,

Regards,

Pradeep

Regards,

Pradeep

dumpalap

Hi @abdelfettah , just want to check if you got an opportunity to look into my comments.

thank you. Pradeep

abdelfettah

Your understanding is correct. That Ingress setting means the Cloud Run Service will be accessible from your VPC and from a LoadBalancer that you setup.

To be honest it's hard to diagnose what could be the issue. Which guide did you follow to setup the LoadBalancer ?

PS: Cloud run with LoadBalancer only work if the LoadBalancer is in the same project as the Cloud Run Service.

dumpalap

hi @abdelfettah , its working now. you are right, the cloud run and LB to be the same project, and the Network end point group type should be Serverless NEG. Initially I created it as Internet NEG and used FQDN.

thanks for the information.

Regards,

Pradeep

swaroopchkl

@abdelfettah

Hi,

I have 3 cloud-run services running in my GCP infra, Is there any option to disable all public access and allow certain static IP addresses to access the CloudRun endpoint URL?

Note: We need to only allow our VPN IP addresses, can you suggest the best way to restrict public access and allow only certain IP addresses to access the cloud-run service?

dumpalap

Hi @swaroopchkl ,

I do not think you can that out of the box. One way would be.

1) Make the cloud run ingress setting to : Internal + load balancing

2) Serve the cloud run traffic from Load Balancer then attach the Cloud Armor to the backend (the Cloud Armor will only allow the traffic from your VPN IP range)

swaroopchkl

Hi dumpalap,

Thank you for the update.

We have tried the same and it worked for some of the services, but we faced some issues after a few months. I hope I can share my situation via this thread.

"Initially we were having few cloud-run services and communication between them was happening via the Pub/Sub (gcp service). then we start to create new cloud-run services to incorporate new features into our application but this time instead of using Pub/Sub we used Rest API calls to make communication between the cloud-run services.
So right now we are not able to continue with the same security model (Internal + load balancing + Cloud Armor )

1) Can you share the most feasible communication method between cloud-run services (I would like to know whether we can use any other model other than Pub/Sub)

2) Is it a best practice to use Rest API calls for the communication happening between cloud-run services in GCP

Awaiting your valuable suggestions ...