stackoom
  简体   繁体   中英

Reaching GCP Cloud Run instance through VPC with "only internal range" egress

 原文  2022-03-29 13:55:13       google-cloud-platform/ google-cloud-run

Question

The current setup is as follows: I have a Cloud Run service, which acts as "back-end", which needs to reach external services but wants to be reached ONLY by the second Cloud Run instance. which acts as a "front-end", which needs to reach auth0 and the "back-end" and be reached by any client with a browser. I recognize that the setup is not optimal, but I've inherited as is and we cannot migrate to another solution (maybe k8n). I'm trying to make this work with the least amount of impact on the infrastructure and, ideally, without having to touch the services themselves.

What I've tried is to restrict the ingress of the back-end service to INTERNAL and place two serverless VPC connectors (one per service), so that the front-end service would be able to reach the back-end but no one else could.

But I've encountered a huge issue: if I set the egress of the front-end all on the VPC it works, but now the front-end cannot reach auth0 and therefore the users cannot authenticate. If I place the egress as "mixed" (only internal ip ranges go through the VPC) the Google Run URL (*.run.app) is resolved not through the VPC and therefore it returns a big bad 403.

What I tried so far:

  1. Placing a load balancer in front of the back-end service. But the serverless NEG only supports the global http load balancer and I'd need an internal one if I wanted an internal ip to resolve against
  2. Trying to see if the VPC accessor itself MAYBE provided an internal (static) ip, but it doesn't seem so
  3. Someone in another question suggested a "MIG as a proxy" but I haven't managed to figure that out ( Can I run Cloud Run applications on a private IP (inside dedicated VPC.network)? )
  4. Fooled around with the Gateway API, but it seems that I'd have to provide a openAPI specification for the back-end, and I'm still under the delusion that this might be resolved with a cheaper (in terms of effort) approach.

So, I get that the Cloud Run instance cannot possibly have an internal IP by itself, but is there any kind of GCP product that can act as a proxy? Can someone elaborate on the "MIG as a proxy" approach (Managed Instance Group? Of what, though?), which might be the solution I'm looking for? (Sadly, I do not have the reputation needed to comment on that question or I would have).

Any kind of pointer is, as always, deeply appreciated.

1 answers

solution1
 0  2022-03-29 18:15:44

You are designing this wrong. Use Cloud Run's identity-based access control instead of trying to route traffic. Google IAP (Identity Aware Proxy) will block all traffic that is not authorized.

Authenticating service-to-service

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Cloud Run On Anthos - VPC access only Want to create a cloud sql instance with private and public ip on a separate vpc in gcp using terraform GCP Cloud Run Cloud - Cloud SQL instance "${process.env.INSTANCE_CONNECTION_NAME}" is not reachable How to enable Cloud Run using serverless vpc connector to restrict traffic to a specific VPC resource only Using VPC connector in Cloud Run GCP Cloud Run Limits Google Cloud Database Migration Service - Has anyone used DMS to migrate GCP postgres instance from one service project to another using VPC Peering? GCP - No Cloud NAT but given public IP leaves VPC Creating GCP cloud function with ingress-settings internal-only doesn't work Cannot Connect to Cloud SQL from App Engine Standard using a VPC Static Ip Address with Egress Setting: all-traffic
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM