This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Cloudrun can't make outbound http requests

Posted on 08-10-2022 06:05 AM
fenos
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello there, 

I'm having a hard time to debug why cloudrun is not allowed to make outbound http to the public internet.

My setup follow a Global loadbalancer (Classic) ->  CloudRun internal-loadbalancer. I use the serverless VPC connector explained here: 


I can reach my Cloudrun service just fine by hitting the URL in the browser, however my server is making an http request to a public endpoint which fails with a timeout.

I've also tested by hitting a different public url (Wikipedia) and the same error happens. So it is definitely an egress issue.

I've added a firewall rule to allow Egress to all ports and ips as following:

fenos_0-1660136500385.png

But didn't make the difference.

Here are my routes:

fenos_1-1660136544713.png

Please any help would be appreciated! 🙏

Solved Solved
0 8 6,058
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
djs_75
Silver 2
Silver 2
In response to djs_75
Reply posted on --/--/---- --:-- AM

If you have access to Network Intelligence center - you can check the route from the internal to ensure there are no firewalls inhibiting it - but if there is no external IP to associate the service with - you won't be able to hit it externally. If you're using NAT to get out - you would need a External Load Balancer or Endpoint defined to service traffic 

View solution in original post

Jump to Solution
0 Likes
8 REPLIES 8

Posted on --/--/---- --:-- AM
djs_75
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

Have you routed the Cloud Run egress traffic? See Static outbound IP address  |  Cloud Run Documentation  |  Google Cloud I typically setup an Endpoint using OpenAPI Quickstart: Set up Cloud Endpoints OpenAPI for Cloud Run with ESPv2  |  Cloud Endpoints with OpenAPI...

Jump to Solution

Posted on --/--/---- --:-- AM
fenos
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi @djs_75 , thanks for getting back to me

Yes, I have routed the egress traffic to the VPC connector as follows:

```

      annotations:
        run.googleapis.com/client-namegcloud
        generated-byterraform
        client.knative.dev/user-image: [MY_IMAGE]
        run.googleapis.com/client-version397.0.0
        autoscaling.knative.dev/minScale'1'
        run.googleapis.com/vpc-access-egressall-traffic
        autoscaling.knative.dev/maxScale'2'
        run.googleapis.com/vpc-access-connectorcentral-serverless

```

Here is my entire network configuration:

### Network

network-1.png

### Firewall

firewall-3.png

Note: i also tried to change allow-internal to allow all IPs (0.0.0.0/0) the egress rule was just a test to see if it made any difference

### Routes

routes.png

### VPC Connector

vpx-connector.png

### VPC Peering

vpc-peering.png

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
fenos
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Here is the entire Yaml definition from cloudrun (with some info redacted) if it helps:

```

apiVersionserving.knative.dev/v1
kindService
metadata:
  nameweb-app
  namespace'447640861145'
  selfLink/apis/serving.knative.dev/v1/namespaces/447640861145/services/web-app
  uid27843a4c-1ec0-4a67-9d31-1a8325d4ef5d
  resourceVersionAAXl44oBy9Q
  generation26
  creationTimestamp'2022-08-09T13:47:03.660740Z'
  labels:
    cloud.googleapis.com/locationeurope-west3
  annotations:
    serving.knative.dev/creatorXXXX
    serving.knative.dev/lastModifierXXXX
    run.googleapis.com/vpc-access-egressall-traffic
    run.googleapis.com/vpc-access-connectorcentral-serverless
    run.googleapis.com/ingressinternal-and-cloud-load-balancing
    run.googleapis.com/ingress-statusinternal-and-cloud-load-balancing
spec:
  template:
    metadata:
      annotations:
        run.googleapis.com/client-nameterraform
        generated-byterraform
        autoscaling.knative.dev/minScale'1'
        run.googleapis.com/vpc-access-egressall-traffic
        autoscaling.knative.dev/maxScale'2'
        run.googleapis.com/vpc-access-connectorcentral-serverless
    spec:
      containerConcurrency80
      timeoutSeconds120
      serviceAccountNameweb-app-cloudrun@alpha-shopping-mall.iam.gserviceaccount.com
      containers:
      - imageXXXX
        ports:
        - namehttp1
          containerPort8080
        env:
        - nameCLOUD_RUN_PROJECT_HASH
          valueXXXX
        - nameSERVER_PORT
          value'8080'
        - nameAUTH_URL
          valueXXX
        - nameAUTH_REALM
          valueXXXX
        - nameAUTH_APP_BASE_URL
          valueXXXX
        - nameAUTH_CLIENT_ID
          valueweb-app
        resources:
          limits:
            cpu1000m
            memory512Mi
  traffic:
  - percent100
    latestRevisiontrue
status:
  observedGeneration26
  conditions:
  - typeReady
    status'True'
    lastTransitionTime'2022-08-10T14:04:07.930411Z'
  - typeConfigurationsReady
    status'True'
    lastTransitionTime'2022-08-10T14:04:00.301442Z'
  - typeRoutesReady
    status'True'
    lastTransitionTime'2022-08-10T14:04:07.930411Z'
  latestReadyRevisionNameweb-app-s9xlc
  latestCreatedRevisionNameweb-app-s9xlc
  traffic:
  - revisionNameweb-app-s9xlc
    percent100
    latestRevisiontrue
  address:

```

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
djs_75
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

Based on the information above there does not appear to be an external ip address - i would configure an Endpoint 

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
djs_75
Silver 2
Silver 2
In response to djs_75
Reply posted on --/--/---- --:-- AM

If you have access to Network Intelligence center - you can check the route from the internal to ensure there are no firewalls inhibiting it - but if there is no external IP to associate the service with - you won't be able to hit it externally. If you're using NAT to get out - you would need a External Load Balancer or Endpoint defined to service traffic 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
fenos
Bronze 1
Bronze 1
In response to djs_75
Reply posted on --/--/---- --:-- AM

@djs_75 mmmh,

I thought I didn't need a static IP, since I'd be ok with a dynamic IP from a pool to make external requests

I think i see your point now, I would try to setup a NAT to get out, since i already have an external loadbalancer in place to serve public traffic

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
djs_75
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

If you have an external load balancer and it pulled a ip from the pool - look at that and see what External it assigned - ensure your Cloud Run is in the backend

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
fenos
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

@djs_75 You can't imagine how thankful I am! 

After I setup a NAT with a static IP my instances are now able to go to the public internet 😀

Wish you the best, seriously!

Jump to Solution