This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

CloudRun Direct VPC Egress issue

Posted on 10-17-2024 11:26 PM
kata_dev
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

API call from Cloud Run application to an external API is resulting in errors.
The error message is: `EHOSTUNREACH: Failed to open TCP connection (Host is unreachable - connect(2)`.

The API call to the external API occurs in batch processing within a worker container running as a Cloud Run service. The batch process makes multiple API calls to the external API.
Initially, API call completes successfully, but after a while, the above error starts occurring.
The Cloud Run application is configured with Direct VPC Egress (10.0.0.0/16) set to "Route all traffic to the VPC", and egress is routed through Cloud NAT and no Firewall rules have been set.

I cheked the NAT metrics, but there were no nat_allocation_failed error. For further investigation, when the batch process was executed as a Cloud Run Job with the same Direct VPC Egress settings, it resulted in the same errors.
However, when the batch process was executed as a Cloud Run Job with Direct VPC Egress set to "Route only requests to private IPs to the VPC", no errors occurred.

Therefore, I think the problem might be related to the Direct VPC Egress, Firewall, or NAT settings, but what's puzzling is that the API calls work fine initially. What could be the possible causes for this issue?

2 3 824
Topic Labels
3 REPLIES 3

Posted on --/--/---- --:-- AM
diannemcm
Staff
Reply posted on --/--/---- --:-- AM

Hi @kata_dev,

Welcome to Google Cloud Community!

To send egress traffic from a Cloud Run service or job, you must set the --vpc-egress flag to all-traffic when you create the service or job, these are steps for deploying a service, where you can add network tags directly on Cloud Run service revisions for more granular network security, such as applying VPC firewall rules

Here’s the documentation on how to configure Cloud Run to use a Public NAT Gateway with Direct VPC egress.

It also appears that a more thorough investigation for your project is necessary. For more detailed insights you may reach out to Google Cloud Support for assistance. When contacting them, provide all your comprehensive details and screenshots. This will help our 1:1 support team better understand and address your issue.

I hope the above information is helpful.

0 Likes

Posted on --/--/---- --:-- AM
Rapee
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

I got the same error when sending external API request from Cloud Run service.

I followed instruction on Static Outbound IP address for Cloud Run with direct VPC egress. After routing outgoing traffic through VPC subnet (10.124.0.0/20), it worked for the first 10 minutes. But then the external API requests started returning error with "Error: connect EHOSTUNREACH".

 

0 Likes

Posted on --/--/---- --:-- AM
Grzegorz_G
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

I have the exact same problem. The networking settings are as above (route all to vpc). It works for a while and then I get errors like "Error: connect EHOSTUNREACH"

Does anyone know how to fix this problem?

0 Likes