3

I have a DB server running as a Compute Engine VM, and an API running on Cloud Run. Both are part of the same project. I want the DB VM to only be accessible from the Cloud Run code.

At first I thought this should just work because the firewall has a "default-allow-internal" rule that should apply to every machine in the project. However I was still getting connection failures.

Then I tried adding a new ingress rule that targeted the service account and allowed connections from the service account. This also didn't work.

I modified the rule to allow connections from my personal IP just to confirm the DB VM was working and my firewall rules worked, and everything worked as expected.

Finally I looked into filtering by "source tag" but the option was not selectable and I couldn't seem to be able to add source tags to the Cloud Run instance.

Is it possible for me to achieve my goal of restricting access to the DB VM to only allow incoming connections from the Cloud Run machine?

jminardi
  • 133
  • 4
  • 1
    1) Add an HTTP load balancer in front of your instance and turn on IAP to verify the Identity Token generated by Cloud Run. 2) Check if your database supports requiring client SSL certificates and only allow connections that present that certificate. 3) Tunnel your Cloud Run traffic thru an SSH tunnel to Compute Engine. https://ahmet.im/blog/cloud-run-static-ip/ 4) You do not mention the client software, database or protocols used, but you might be able to add/create a proxy to verify the Authorization header generated by Cloud Run. 5) Wait for the Cloud Run VPC Connector to be available. – John Hanley Mar 04 '20 at 20:57

2 Answers2

3

You can configure Serverless VPC Acces to connect Cloud Run with Compute Engine VM, updated Sep 2020. https://cloud.google.com/vpc/docs/configure-serverless-vpc-access

tsplus
  • 46
  • 1
2

Cloud Run (fully managed) services do no get static IPs that could be whitelisted. In addition, have a look at the documentation Services not yet supported:

The following table lists services that are not yet supported by Cloud Run (fully managed). Note that Cloud Run for Anthos on Google Cloud can use any service that Google Kubernetes Engine can use.

cloud_run_managed

So, as you can see there's no easy way to connect service running on Cloud Run (fully managed) and your VPC network.

Some workarounds to get external IP for your service in Cloud Run (fully managed):

  1. create a SOCKS proxy by running a ssh client that routes the traffic through a GCE VM instance that has a static external IP address like in this example

  2. send outbound requests from Cloud Run (fully managed) through a proxy that has a static IP, example in Python below:

import requests
import sys
from flask import Flask
import os

app = Flask(__name__)

@app.route("/")
def hello():

    proxy = os.environ.get('PROXY')
    proxyDict = { 
                "http": proxy,
                "https": proxy
                }
    r = requests.get('http://ifconfig.me/ip', proxies=proxyDict)
    return 'You connected from IP address: ' + r.text

With the PROXY environemnt variable containing the IP or URL of your proxy (see here to set an environment variable )

For this proxy, you can either:

  • create Compute Engine VM with a static public IP address running Squid, this likely fits in the Compute Engine free tier.
  • use a 3rd party service that offers a proxy with static IP

EDIT Have a look at the Google Public Issue Tracker Feature Request and feel free to join, comment and track progress.

Serhii Rohoza
  • 1,424
  • 2
  • 5
  • 15