This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Cloud run internals services accessing externals services AND internals cloud run services

Posted on 03-30-2022 02:50 AM
Py
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi,
I have multi services on Cloud run (let's say ServiceApi and ServiceMS)
What I want : 
- secure ServiceMS so it is called only by ServiceAPI => so I configure it with "internal traffic only" ingress and "Require authentication" 
- ServiceMS calls a "External load balancer" in GKE => so I add a VPC connector to ServiceMS letting only private IPs through it 
- ServiceAPI be called from external services => so I set "All traffic" ingress and no authentication 
- ServiceAPI calls ServiceMS => so I add the same VPC connector and routing all traffic through it 
- ServiceAPI calls external service API (ex: Stripe api) but I can't access it because of all traffic going through VPC (it works with only private traffic through VPC, but then I can't access my internal ServiceMS)

I know I'm missing something in my comprehension. I checke VPC SC, firewalls, etc. But as I'm not an expert (that why I go with Cloud Run) I'm not sure which solution is the one.

Do I have to open something in the default VPC ?
Do I have to add a rule for the firewall ?
Do I have to configure VPC SC ?
Do I have to change my architecture  and move the external API call ?

Kind regards

Solved Solved
0 2 2,730
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
JamesT
Staff
Reply posted on --/--/---- --:-- AM

Hello,

Could you check to see if the subnet that you used for the VPC connector has Private Google Access (PGA) enabled? You can do this by navigating to your VPC networks and selecting the relevant subnet. Edit that subnet and see if PGA is enabled and enable it if not.

Also, if you're not forcing all egress traffic through the VPC connector, it might be using it's default internet path to reach out to the Cloud Run service that you set the ingress to allow "Internal Only". Please set all egress traffic to use the VPC connector. However, if you need the Cloud Run service to reach out to public endpoints, then that may not be viable (although, you could use Cloud NAT).

You could also set the ingress to allow "Internal and Cloud Load Balancing" and put the Cloud Run service you want to restrict as a backend service for an external HTTP(S) load balancer [1]. This would mean that it would still be reachable via the internal, but you could also use Cloud Armor to restrict the IPs that can send traffic to the load balancer. Which, if you need a static external outbound IP, please review this document [2].

 

[1]

https://cloud.google.com/load-balancing/docs/https/setting-up-https-serverless

[2]

https://cloud.google.com/run/docs/configuring/static-outbound-ip

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
JamesT
Staff
Reply posted on --/--/---- --:-- AM

Hello,

Could you check to see if the subnet that you used for the VPC connector has Private Google Access (PGA) enabled? You can do this by navigating to your VPC networks and selecting the relevant subnet. Edit that subnet and see if PGA is enabled and enable it if not.

Also, if you're not forcing all egress traffic through the VPC connector, it might be using it's default internet path to reach out to the Cloud Run service that you set the ingress to allow "Internal Only". Please set all egress traffic to use the VPC connector. However, if you need the Cloud Run service to reach out to public endpoints, then that may not be viable (although, you could use Cloud NAT).

You could also set the ingress to allow "Internal and Cloud Load Balancing" and put the Cloud Run service you want to restrict as a backend service for an external HTTP(S) load balancer [1]. This would mean that it would still be reachable via the internal, but you could also use Cloud Armor to restrict the IPs that can send traffic to the load balancer. Which, if you need a static external outbound IP, please review this document [2].

 

[1]

https://cloud.google.com/load-balancing/docs/https/setting-up-https-serverless

[2]

https://cloud.google.com/run/docs/configuring/static-outbound-ip

Jump to Solution

Posted on --/--/---- --:-- AM
Py
Bronze 2
Bronze 2
In response to JamesT
Reply posted on --/--/---- --:-- AM

Hello
Thank you for your answer
I followed the link n° 2 (https://cloud.google.com/run/docs/configuring/static-outbound-ip) for my cloud run services and I set:
- all my cloud run MS services with ingress "internal only" and all egress traffic through the VPC connector
- my cloud run API service with ingress "all traffic" and all egress traffic through the VPC connector
- my VPC connector using a subnet with GPA activated (it seems not necessary for my case, but maybe because my database has a static ip via load balancer)
- and I add a NAT gateway for the static outbound IP address

I didn't need to use Load Balancer nor Cloud Armor, and it seems I don't need GPA activated

Thank you very much, it works very well (and I moslty understand why... )

Jump to Solution
0 Likes
Top Solution Authors
View all