1

I am using Google Cloud Functions and have multiple projects with cloud functions, that need to communicate with each other. My problem is that functions can only communicate with each other if they have Ingress settings set to "allow all traffic." As soon as I change it to the desired setting, which is "Allow internal Traffic Only" projectB can't talk to projectA. The two projects are Firebase projects which have a VPC network configured as well as Serverless VPC in order to communicate with a back end database.

From what I can tell, Google is saying this I should create a VPC SC Perimeter which includes all the projects that need to talk to each other, this is meant to solve the problem. I have done that but I still have access issues if set to "allow internal traffic only"

I also tried setting up a vpc network with a static private ip address . From projectB I then tried to communicate to ProkectA on the private IP but I am getting timeout errors.

Both projectA and projectB have vpc set up with internal private ip's.

I also tried using VPC peering between the projects, but still get the timeout issue.

Could anyone offer any advice?

WallyKaye
  • 13
  • 5
  • To connect Cloud Functions over projects, we need to set up a shared VPC in a project then connect all other projects to that shared VPC and then we can use VPC connector in every project. You can follow the following [Official Documentation](https://cloud.google.com/functions/docs/networking/connecting-vpc), but remember the both they apply only at the organization level. Do you have a organization? – Nibrass H Jul 27 '20 at 11:36
  • Thanks. I tried using a shared VPC but according to the official documentation "Serverless VPC Access does not support legacy networks or Shared VPC." Yes the projects are all in the same organization. https://cloud.google.com/vpc/docs/configure-serverless-vpc-access – WallyKaye Jul 28 '20 at 04:35
  • When you set Allow internal Traffic Only, any error message is appearing? Can you see any errors in Stackdriver Logging? Could you please share those with me? – Nibrass H Jul 28 '20 at 15:47
  • Ok so when I allow internal traffic only, I don't see any errors on the function that is trying to receive the connection. On the function that is sending the connection, I get a timeout error. Would the Stack Driver logging giving me additional logs compared to the standard logs? Let me check that out and feedback – WallyKaye Jul 28 '20 at 18:54
  • Ok sorry I misunderstood. The stackdriver logging seems to be the general logging that I have been using, so above are the details I am getting from the logging section – WallyKaye Jul 29 '20 at 04:49
  • Thanks for clarifying the previous. I was able to set the "allow internal traffic only" successfully. Could you please confirm you are doing in the previous way : 1) Create a Cloud Function which the allow internal traffic only option and select the VPC connector created in the Cloud function in projact A. 2) Create an another Cloud Function in project B with the same settings. 3) And the both Cloud Functions are in the same Shared VPC ? Have you try to create the Cloud Functions from Google Cloud Platform? Is it still giving the same timeout error? – Nibrass H Jul 29 '20 at 15:23
  • Thanks, I will try that. The question would be when I configure ProjectB to talk to ProjectA, do I configure ProjectB to use the standard hostname that Google provides i.e. https:///europe-west1-projecta.cloudfunctions.com/api or should I use the private ip i.e. https:///10.192.0.2/api. I tried both and they both gave timeout issues. Let me try again, I will set up the Shared VPC from scratch – WallyKaye Jul 30 '20 at 07:54
  • The URL does not matter. Once you connect the 2 Cloud Functions and deploy everything on the shared network, it is just as if you have everything in 1 project. Just make sure that you are deploying both on the shared network. – Nibrass H Jul 30 '20 at 10:29
  • Ok, so I created the Shared VPC and set the Cloud functions to use the VPC connector, with "allow internal traffic only" and "route only private IP's through the VPC connector." The result is that I can see ProjectB doing a post to the cloud function of ProjectA , there is no error on ProjectB logs and on projectA, I don't see the incoming connection, so there is nothing in the Cloud functions log at all on ProjectA. Any ideas? – WallyKaye Aug 03 '20 at 11:44
  • Update: So as soon as I set ProjectA (receiving side, ingress) to allow all traffic, the connections flow through again. This is with Shared VPC enabled. – WallyKaye Aug 03 '20 at 12:34
  • It should work as you are setting the Shared VPC, but it's weird that you are not able to. probably you are missing something. I will do some more testing and will come back with the steps I Follow to connect 2 functions over projects. – Nibrass H Aug 04 '20 at 20:19
  • Thanks, does this situation now apply in my case? Since I have to use Serverless VPC in order to use Firebase Cloud functions? "Serverless VPC Access does not support legacy networks or Shared VPC." https://cloud.google.com/vpc/docs/configure-serverless-vpc-access – – WallyKaye Aug 05 '20 at 05:14
  • No the previous doesn't apply in your situation as you are calling to an another cloud Functions which is in VPC Network and is not a Legacy Network. I have being testing and wants to mention as you're using Shared VPC, you must include the host project in a service perimeter along with any projects that belong to the Shared VPC. Have you done that? – Nibrass H Aug 05 '20 at 11:29
  • Yes definitely, the host project is ProjectA and one of the attached projects is ProjectB . The VPC Service Perimeter is set to enforced. I also played around with the VPC Accessible Services options, changing it to restricted services. I still get timeout errors when ProjectB tries to connect to ProjectA. The strange thing is when VPC Accesible Services options are set to "all services" and I click on edit on the perimeter, it doesn't show "all services" it still shows "no services." So it looks my "all services" setting doesn't save. Not sure if this is needed. Does yours save properly? – WallyKaye Aug 06 '20 at 05:18
  • It's really weird because en VPC Accessible Services, there should be the services to connect properly. Could you please try to add it again? And could you please try to explain a little bit more what do you mean to connect 2 Cloud Functions? Do you mean to ping one from the other one? – Nibrass H Aug 07 '20 at 14:12
  • Ok so when I say Cloud Functions, on ProjectB for example, I have an API and ApIPubsub Cloud function. The ApiPubsub Cloud function makes an https call to the API cloud function on ProjectA. You can access the Cloud function on the search bar. So with "Allow internal traffic only" on the Cloud Function https calll fails but with "allow all traffic" the connection works. I need to be able to limit external access by getting it to work with "allow internal Taffic only" set. I hope this makes sense – WallyKaye Aug 09 '20 at 05:43
  • What is really strange is when I look at the VPC service controls , it shows VPC Accessible Services : No services - but when I actually edit the VPC Service Perimeter and look under VPC Accessible Services under restricted services, the "all services" radio button is selected. All services says - "by default all services are accessible , if you want only specific services , click on the add services button below" – WallyKaye Aug 09 '20 at 05:48
  • Hi @NibrassH , I just wanted to check if you have any further comments? Tx – WallyKaye Aug 14 '20 at 04:35
  • Hi @WallyKaye, can you confirm if the issue has been resolved? – Catherine O May 05 '22 at 08:26

2 Answers2

0

Indeed, according to this documentation,

Allow internal traffic only: Only requests from VPC networks in the same project or VPC Service Controls perimeter are allowed. All other requests are denied with a 403 error.

To be able to communicate with a cloud function with "Allow internal traffic only", you need to:

1- includes all the projects in a VPC Service Controls perimeter.

2- Route the calling function egress through your VPC network.

You can refer to this example use case for more details.

Khalid K
  • 171
  • 3
  • Thanks @Khalid. Yes I have gone through this example and configured it accordingly but I get the same issue where it does not connect without "allow all traffic" set. – WallyKaye Jan 25 '21 at 02:27
0

I never resolved this issue unfortunately and I had to leave it open for the connection to work. I have since started working on AWS so didn't get back to this.

WallyKaye
  • 13
  • 5