Whitelist google cloud function on AWS security group

Question

I've some services running on google cloud functions which need to connect to an endpoint on AWS. Since there is no fixed set of IPs which I can whitelist, can you share your thoughts on how best this can be dealt with? I understand the ips can be listed as explained here, but please share thoughts on dynamically dealing with this/monitor the ip change.

Amazon provides sns topic which can be subscribed to which lists all AWS IPs and we have use cases where we used lambda function subscribed to their sns topic to keep our security group up to date. but trying to figure whats the best way to deal with google for similar need.

Answer 1

There are three common methods to protect incoming traffic:

• Where - The IP address of the traffic.
• Who - The Identity of the traffic (OAuth Identity Token, etc.)
• What - A secret (secret key, API key, etc.) that the traffic possesses.

For Google Cloud Functions, you cannot reliably use the first method. Google does not yet publish Cloud Function IP netblocks. It is fairly easy to figure out which netblocks Cloud Functions arrive from, but that includes a lot of other Google Cloud services.

Google Cloud Functions support the --service-account deployment option which uses a service account to provide an OAuth Identity Token in the HTTP "authorization: bearer" header. This is the normal method of verifying identity in the GCP world (OAuth).

The third method (secret key) is anything you want it to be. You could create a custom header, custom body payload, etc. and include your secret key.

The endpoint, or the gateway in front of the endpoint, that Google Cloud Functions calls will need to validate the method that you are using.