[英]How to enable Cloud Run using serverless vpc connector to restrict traffic to a specific VPC resource only
I am trying to set up Cloud Run (nodeJs app, code is below) to privately connect to Memory store instance.我正在尝试设置 Cloud Run(nodeJs 应用程序,代码如下)以私下连接到 Memory 商店实例。 I've followed this Google Article to create a Serverless VPC Access Connector.
我按照这篇 Google 文章创建了无服务器 VPC 访问连接器。 Making sure I created the connector in the same region as Cloud Run app, and that the connector is attached to the Redis instance's authorized VPC.network.
确保我在与 Cloud Run 应用程序相同的区域中创建了连接器,并且该连接器附加到 Redis 实例的授权 VPC.network。
Memorystore is isolated in a VPC with a private range address. Memorystore 隔离在具有私有范围地址的 VPC 中。
Nodejs app code is shown below. Nodejs 应用程序代码如下所示。
const {createClient} = require('redis');
getClient() {
const client = createClient({
socket: {
host: process.env.REDIS_HOST
},
password: process.env.REDIS_PASS
});
client.on('error', (err) => {
throw Error(`redis client error: ${err}`);
});
return client;
}
Google doc states that a firewall rule is created to allow ingress from the connector's su.net to all destinations in the VPC.network. Google 文档指出,已创建防火墙规则以允许从连接器的 su.net 进入 VPC.network 中的所有目的地。 This is against my company's security policy as we have other services in this VPC (VM's, GKE instances etc).
这违反了我公司的安全政策,因为我们在此 VPC 中有其他服务(VM、GKE 实例等)。 So I need to restrict connector to be able to reach all destinations in VPC.network.
所以我需要限制连接器能够到达 VPC.network 中的所有目的地。 Is there a preferred way of achieving this?
有实现此目标的首选方法吗?
Earlier in 2021, Google Cloud made it possible for CloudRun serverless vpc connector to use the allow and target-tags flags to create an ingress firewall rule. 2021 年初,Google Cloud 使 CloudRun 无服务器 vpc 连接器可以使用allow和target-tags标志来创建入口防火墙规则。 It allows targeting the traffic only to a specific resource with in VPC.
它允许将流量仅定位到 VPC 中的特定资源。
Google doc states that a firewall rule is created to allow ingress from the connector's su.net to all destinations in the VPC.network.
Google 文档指出,已创建防火墙规则以允许从连接器的 su.net 进入 VPC.network 中的所有目的地。 This is against my company's security policy as we have other services in this VPC (VM's, GKE instances etc).
这违反了我公司的安全政策,因为我们在此 VPC 中有其他服务(VM、GKE 实例等)。 So I need to restrict connector to be able to reach all destinations in VPC.network.
所以我需要限制连接器能够到达 VPC.network 中的所有目的地。 Is there a preferred way of achieving this?
有实现此目标的首选方法吗?
Create a firewall rule and set the priority for this rule to be a lower value than the one you created in the previous step.创建一个防火墙规则并将此规则的优先级设置为低于您在上一步中创建的值。
gcloud compute firewall-rules create RULE_NAME \
--allow=PROTOCOL \
--source-tags=VPC_CONNECTOR_NETWORK_TAG \
--direction=INGRESS \
--network=VPC_NETWORK \
--target-tags=RESOURCE_TAG \
--priority=PRIORITY
Hope it resolves your issue.希望它能解决您的问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.