GCP Https Function - Ingress settings

Question

I have one GCP Https function. This function will be invoked either by other GCP function(Pub/Sub) or from the external application.

I want my function should be accessible from these 2 sources only. By default, my function ingress setting is "Allow All Traffic".

How can I achieve this so that my function should be accessible only from one specific external IP. I am beginner in cloud technology so I may have missed something.

Answer 1

Filtering by the IP address is not the recommend way. Using authentication (with IAM service that check the authorization) is a much better solution. Your IPs can change, you can use a VPN, or whatever. Network can change not your identity

When you use Cloud Functions native authentication filtering (with IAM service) and makes your cloud function private, anyone can access it from the internet. BUT, before reaching your Cloud Functions, the traffic is checked by GFE (Google Front End) that control the authentication token presence, validity and IAM permission.

ONLY is all the condition are met, your Cloud Functions is invoked. I feel the fear in your comment that anyone can invoke your functions and it will cost a lot. With private functions, only authorized traffic is routed to your functions (and therefore paid). All the bad traffic is discarded by Google for you.

---

If you really want to enforce your pattern, you can do the following:

• set the ingress to "internal and cloud load balancing"
• Add a VPC connector to your other GCP function with the egress set to ALL (to route all the traffic through your VPC)
• Create a HTTPS load balancer with a serverless NEG that reference your Cloud Functions
• Activate Cloud Armor on your load balancer with a rule that filter only the IP that you want.

Heavy, boring and expensive (you have to pay the load balancer, $14 per month) for nothing more than identity check. Prefer the first solution;)