Solved: Communication from Cloud run to Cloud run

paulaferreyra · 11-28-2022 11:22 AM

Hi everyone!

I'm working with Cloud run service and I have following situation:

1) I have 2 Cloud Run Services, A and B. Cloud Run Service A should call B.

2) Both Services (A and B) are behind a HTTPS External Load Balancer, because both services should be accessed from internet.

3) Both Services (A and B) have configured trigger like: Allow internal traffic and traffic from Cloud Load Balancing.

4) For internal communication from Cloud Run Service A to Cloud Run Service B, I haved configured a Serverless VCP Access Connector in Cloud Run Service A, routing all egress traffic through connector, following this documentation: https://cloud.google.com/run/docs/securing/private-networking#from-gcp-serverless, but I don't know how implement point 3 in order to route traffic from VCP to cloud run, because I don'r understand how configure Private Service Connect (https://cloud.google.com/run/docs/securing/private-networking#from-vpc) for this scenario.

I would like to know if its ok the approach I'm trying to communicate both services, if it's ok, also I would like to know how route traffic from VPC to Cloud run.

Thanks in advance!

knet

You probably need to enable it on the subnet of the VPC connector (I
haven't tested this myself but it makes logical sense).

The VPC connector subnet is hidden if you created the connector using an IP
range. But if you create a subnet yourself and then pass that subnet in
when creating the VPC Connector, you can then enable Private Google Access
on that subnet.
-------------------------------------------
Karolina Netolicka
Product Manager, Serverless
<PII removed by staff>

View solution in original post

knet

Hi, that process is necessary if you want to reach the services using private IP addresses. If you're OK using public IPs for service-to-service communication, instead of setting up Private Service Connect, you can enable Private Google Access (which is easier to do).

How to route traffic from VPC to Cloud Run is documented here: https://cloud.google.com/run/docs/securing/private-networking#from-gcp-serverless

paulaferreyra

Thanks for you answer!

I'm following that documentation, but in point 3 of https://cloud.google.com/run/docs/securing/private-networking#from-gcp-serverless , I see the following:

Once the traffic is on the VPC network, make sure the VPC network is configured appropriately to further route that request to Cloud Run. See Receive requests from VPC networks.

When I go to: https://cloud.google.com/run/docs/securing/private-networking#from-vpc, the first option says:

The most direct path is to enable Private Google Access on the subnets hosting your VPC resources. Once enabled, resources on the subnets can access your Cloud Run services at the default run.app URL. Traffic from your VPC to Cloud Run stays in Google's network. In that case, the IP range for requests sent to the Cloud Run service is 0.0.0.0/32. This means that in request log entries, the remoteIp attribute of the HttpRequest will be 0.0.0.0.

But actually I don't have a subnet in the VPC, I have only the serverless vpc connector.

How I can enable Private Google Access?

Thanks in advance!!

knet

You probably need to enable it on the subnet of the VPC connector (I
haven't tested this myself but it makes logical sense).

The VPC connector subnet is hidden if you created the connector using an IP
range. But if you create a subnet yourself and then pass that subnet in
when creating the VPC Connector, you can then enable Private Google Access
on that subnet.
-------------------------------------------
Karolina Netolicka
Product Manager, Serverless
<PII removed by staff>

paulaferreyra

Thank you Knet!

The solution you proposed work perfect! I created Serverless VPC Access Conector through gcloud cli and connector was assigend to subnet with Private Google access enable.

Thansk again!!