This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Privately invoke a CR service from AppEngine

Posted on 07-19-2023 10:10 PM
Former Community Member
Not applicable
Reply posted on --/--/---- --:-- AM

I have a Cloud Run Service that hosts REST APIs that are consumed by my AppEngine service. I want to limit CR endpoint invocations to only come from AppEngine rather than making them public. One solution that came to my mind was using a single serverless VPC connector and have AppEngine and CR service both connect to the default VPC via the same connector and then the AppEngine endpoint would be able to invoke the *.run.app CR service privately. However the solution is not working for me due to another reason. 

I am using CI/CD using GCB to deploy the AppEngine service with a simple step "gcloud app deploy" to deploy to target AppEngine. However the pipeline is failing with below error. I am referring this link.

I also added 2 lines for vpc connector in app.yaml.

0 6 155
Topic Labels
0 Likes
6 REPLIES 6

Posted on --/--/---- --:-- AM
NoCommandLine
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

For an alternate way of meeting your requirements, see the accepted answer on this post.

Pay attention to the bit about service to service authentication. You’ll need the sample code to invoke your Cloud Run App from GAE.

 

 

..... NoCommandLine ......
 https://nocommandline.com
A GUI for Google App Engine
0 Likes

Posted on --/--/---- --:-- AM
Former Community Member
Not applicable
In response to NoCommandLine
Reply posted on --/--/---- --:-- AM

Thanks @NoCommandLine . So the solution i proposed (connecting both AppEngine and CR to same VPC using serverless VPC connector and changing CR service's ingress setting to "internal and LB only" won't work?

0 Likes

Posted on --/--/---- --:-- AM
NoCommandLine
Bronze 3
Bronze 3
In response to Former Community Member
Reply posted on --/--/---- --:-- AM

I don't know. I'm not familiar with the method you're using.

I only gave you an alternative way of achieving your goal (I'm simply giving you a method that I'm familiar with). 

 

..... NoCommandLine ......
 https://nocommandline.com
A GUI for Google App Engine
 
0 Likes

Posted on --/--/---- --:-- AM
Former Community Member
Not applicable
In response to NoCommandLine
Reply posted on --/--/---- --:-- AM

No problem 🙂

0 Likes

Posted on --/--/---- --:-- AM
NoCommandLine
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

A response to the question you asked here.

According to Google documentation,

...Ingress settings and IAM authentication methods are two ways of managing access to a service. They are independent of each other. For a layered approach to managing access, use both....

The above means if you go the IAM route, you don't have to setup Ingress settings (if you don't want to). If you go the Ingress settings, you don't have to go the IAM route (if you don't want to). 

..... NoCommandLine ......
 https://nocommandline.com
A GUI for Google App Engine
0 Likes

Posted on --/--/---- --:-- AM
Former Community Member
Not applicable
In response to NoCommandLine
Reply posted on --/--/---- --:-- AM

Exactly that’s what I wanted to do if you recall to use ingress setting. Going the IAM route still has the risk of being able to CR service if the access token is compromised.

0 Likes