7

Problem. I'm looking for an agile way to shoot a docker container (stored on GCR.IO) to a managed service on GCP:

  • one docker container gcr.io/project/helloworld with private data (say, Cloud SQL backend) - can't face the real world.
  • a bunch of IPs I want to expose it to: say [ "1.2.3.4" , "2.3.4.0/24" ].

My ideal platform would be Cloud Run, but also GAE works.

I want to develop in agile way (say deploy with 2-3 lines of code), is it possible run my service secretly and yet super easily? We're not talking about a huge production project, we're talking about playing around and writing a POC you want to share securely over the internet to a few friends making sure the rest of the world gets a 403.

What I've tried so far.

The only think that works easily is a GCE vm with docker-friendly OS (like cos) where I can set up firewall rules. This works, but it's a lame docker app on a disposable VM. Machine runs forever and dies at reboot unless I stabilize it on cron/startup. Looks like I'm doing somebody else's job.

Everything else I've tried so far failed:

  • Cloud Run. Amazing but can't set up firewall rules on it, or Cloud Director, .. seems to work only with IAP which is painful to set up.
  • GAE. Works with multiple IPs and can't detach public IPs or firewall it. I managed to get the IP filtering within the app but seems a bit risky. I don't [want to] trust my coding skills :)
  • Cloud Armor. Only supports a HTTPS Load Balancer which I don't have. Nor I have MIGs to point to. I want simplicity.
  • Traffic Director and need a HTTP L7 balancer. But I have a docker container, on a single pod. Why do I need a LB?
  • GKE. Actually this seems to work: [1] but it's not fully managed (I need to create cluster, pods, ..)

Is this a product deficiency or am I looking at the wrong products? What's the simplest way to achieve what I want?

[1] how do I add a firewall rule to a gke service?

Riccardo
  • 1,104
  • 13
  • 22
  • Maybe NEG is the answer? https://cloud.google.com/load-balancing/docs/negs/ – Riccardo Nov 09 '19 at 20:35
  • I agree with john hanley's answer, Cloud Run is your best bet given your requirements. If you're having issues with IAP, please ask in a separate question with details. – Travis Webb Nov 10 '19 at 06:37

3 Answers3

5

Please limit your question to one service. Not everyone is an expert on all Google Cloud services. You will have a better chance of a good answer for each service if they are separate questions.

In summary, if you want to use Google Cloud Security Groups to control IP based access you need to use a service that runs on Compute Engine as security groups are part of the VPC feature set. App Engine Standard and Cloud Run do not run within your project's VPC. This leaves you with App Engine Flex, Compute Engine, and Kubernetes.

I would change strategies and use Google Cloud Run managed by authentication. Access is controlled by Google Cloud IAM via OAuth tokens.

Cloud Run Authentication Overview

John Hanley
  • 74,467
  • 6
  • 95
  • 159
0

I have agreed with the John Hanley’s reply and I have up-voted his answer.

Also, I’ve learned that you are looking how to restrict access to your service through GCP.

By setting a firewall rules, You can limit access to your service by limiting the Source IP range as Allowed source, so that only this address will be allowed as source IP.

Please review another thread in Server Fault [1], stating how to “Restrict access to single IP only”.

https://serverfault.com/questions/901364/restrict-access-to-single-ip-only

Pejvak
  • 150
  • 7
0

You can do quite easily with a Serverless NEG for Cloud Run or GAE

If you're doing this in Terraform you can follow this article

FearlessHyena
  • 3,527
  • 33
  • 39