在 Cloud Run 中使用 VPC 连接器
[英]Using VPC connector in Cloud Run
问题描述
I have ended up in a tricky situation regarding the usage of serverless vpc-connectors in Cloud-Run.
关于在 Cloud-Run 中使用无服务器 vpc 连接器,我遇到了一个棘手的情况。 The service needs to call both other internal(eg only allow invocation via internal traffic) cloud run services and some external services/urls.该服务需要同时调用其他内部(例如只允许通过内部流量调用)云运行服务和一些外部服务/网址。 Given the two options for routing through the connector, namely (1. Route only traffic to private IPS through the connector) and (2. Route all traffic through the connector), it seems impossible to me to configure the connector in such a way that makes it correctly resolve both external and internal URLs.鉴于通过连接器进行路由的两个选项,即(1. 仅通过连接器将流量路由到专用 IPS)和(2. 通过连接器路由所有流量),我似乎不可能以这样的方式配置连接器使其正确解析外部和内部 URL。
When going with the first option, the URLs for internal cloud run services are not properly resolved but the external ones are.使用第一个选项时,内部云运行服务的 URL 未正确解析,但外部的 URL 解析正确。 There are no static IPs for cloud-run services so using "internal" IPs is not an option.云运行服务没有 static IP,因此不能使用“内部”IP。
When choosing the second option, the internal URLs are resolved properly but not the external ones.选择第二个选项时,内部 URL 会正确解析,但不会正确解析外部 URL。
Is there a solution to this situation?这种情况有解决办法吗?
2 个解决方案
解决方案1
1
The purpose of the VPC Serverless connection is to provide internal access from your Serverless Application to the internal GCP VPC resources as pointed out in the following document [1]. VPC 无服务器连接的目的是提供从您的无服务器应用程序到内部 GCP VPC 资源的内部访问,如以下文档 [1] 中所指出的。
Being said that, if an application deployed through Cloud Run needs GCP external resources;话虽如此,如果通过Cloud Run部署的应用程序需要GCP外部资源; that should be handled by the composition of the image used itself, not by the VPC Serverless connection.这应该由使用的图像本身的组合来处理,而不是由 VPC 无服务器连接来处理。
The second part I could get from your response is that you have multiple services configured in Cloud Run and need to communicate among them.我可以从您的回复中得到的第二部分是,您在 Cloud Run 中配置了多个服务,并且需要在它们之间进行通信。
For this part, I want to point out that maybe the best approach instead of the VPC serverless connection would be to merge your services and package them into one single docker file.对于这一部分,我想指出,也许最好的替代 VPC 无服务器连接的方法是将您的服务和 package 合并到一个 docker 文件中。
You can find examples on how to run multiple services in a container in the following document [2].您可以在以下文档 [2] 中找到有关如何在容器中运行多个服务的示例。
Once you have created a docker image with the services merged you can store it in any supported registry and deploy it with Cloud Run as stated in the following document [3].创建合并服务的 docker 映像后,您可以将其存储在任何受支持的注册表中,并按照以下文档 [3] 中所述使用 Cloud Run 进行部署。
[1] https://cloud.google.com/vpc/docs/serverless-vpc-access [1] https://cloud.google.com/vpc/docs/serverless-vpc-access
[2] https://docs.docker.com/config/containers/multi-service_container/ [2] https://docs.docker.com/config/containers/multi-service_container/
[3] https://cloud.google.com/run/docs/deploying [3] https://cloud.google.com/run/docs/deploying
解决方案2
0 2021-10-04 14:34:43
The correct option if you want to reach both internal and external URLs is the "Route only traffic to private IPS through the connector".如果您想要访问内部和外部 URL,正确的选项是“仅通过连接器将流量路由到私有 IPS”。 As google public documentation states: "Only requests to RFC 1918 and RFC 6598 IP address ranges or internal DNS names are routed to your VPC.network. All other requests are routed directly to the inte.net".正如谷歌公共文档所述:“只有对 RFC 1918 和 RFC 6598 IP 地址范围或内部 DNS 名称的请求才会路由到您的 VPC.network。所有其他请求都直接路由到 inte.net”。 [1] [1]
If you are having problems reaching the internal URLs when you select this option most probably you are blocking them at the firewall level in the VPC Su.net.如果您在使用 select 此选项时遇到内部 URL 的问题,很可能是您在 VPC Su.net 的防火墙级别阻止了它们。
To check the firewall rules in your project you can run the following command in gcloud console:要检查项目中的防火墙规则,您可以在 gcloud 控制台中运行以下命令:
gcloud compute firewall-rules list
[1] https://cloud.google.com/run/docs/configuring/connecting-vpc [1] https://cloud.google.com/run/docs/configuring/connecting-vpc
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.