stackoom
  简体   繁体   中英

Using VPC connector in Cloud Run

 原文  2021-10-04 14:06:03       google-cloud-platform

Question

I have ended up in a tricky situation regarding the usage of serverless vpc-connectors in Cloud-Run. The service needs to call both other internal(eg only allow invocation via internal traffic) cloud run services and some external services/urls. Given the two options for routing through the connector, namely (1. Route only traffic to private IPS through the connector) and (2. Route all traffic through the connector), it seems impossible to me to configure the connector in such a way that makes it correctly resolve both external and internal URLs.

When going with the first option, the URLs for internal cloud run services are not properly resolved but the external ones are. There are no static IPs for cloud-run services so using "internal" IPs is not an option.

When choosing the second option, the internal URLs are resolved properly but not the external ones.

Is there a solution to this situation?

2 answers

solution1
 1  

The purpose of the VPC Serverless connection is to provide internal access from your Serverless Application to the internal GCP VPC resources as pointed out in the following document [1].

Being said that, if an application deployed through Cloud Run needs GCP external resources; that should be handled by the composition of the image used itself, not by the VPC Serverless connection.

The second part I could get from your response is that you have multiple services configured in Cloud Run and need to communicate among them.

For this part, I want to point out that maybe the best approach instead of the VPC serverless connection would be to merge your services and package them into one single docker file.

You can find examples on how to run multiple services in a container in the following document [2].

Once you have created a docker image with the services merged you can store it in any supported registry and deploy it with Cloud Run as stated in the following document [3].

[1] https://cloud.google.com/vpc/docs/serverless-vpc-access

[2] https://docs.docker.com/config/containers/multi-service_container/

[3] https://cloud.google.com/run/docs/deploying

solution2
 0  2021-10-04 14:34:43

The correct option if you want to reach both internal and external URLs is the "Route only traffic to private IPS through the connector". As google public documentation states: "Only requests to RFC 1918 and RFC 6598 IP address ranges or internal DNS names are routed to your VPC.network. All other requests are routed directly to the inte.net". [1]

If you are having problems reaching the internal URLs when you select this option most probably you are blocking them at the firewall level in the VPC Su.net.

To check the firewall rules in your project you can run the following command in gcloud console:

gcloud compute firewall-rules list

[1] https://cloud.google.com/run/docs/configuring/connecting-vpc

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to enable Cloud Run using serverless vpc connector to restrict traffic to a specific VPC resource only Getting 403 when connecting to a Cloud Run service when using a Serverless VPC Connector How to setup vpc connector for firebase cloud functions? Cloud Run On Anthos - VPC access only How do you connect to MongoDB Atlas from Google Cloud Run when using VPC and peer networking? Unable to create Serverless VPC Access Connector when using SharedVPC Access GKE pods with Cloud functions using Google Serverless VPC Serverless VPC access connector is in a bad shape Confusion Around Creating a VPC Access Connector VPC Access connector failed to get healthy
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM