Rapid API and GCloud Run integration. Firewall setup

Question

I am trying to set up access for Rapid API to my API deployed using Google Cloud Run.

Found article on how to control access: https://rapidapi.com/blog/add-authentication-and-billing-for-your-api-on-google-cloud-platform-tutorial/ The idea is clear, but repeating the steps above does not solve the problem.

I made a firewall rule in the default vpc network and added all the ip addresses specified in this article, but when try to contact to my gcp endpoint, I still get an restricted access error with a status code of 403.

I also tried to invoke container run from my server with static ip after adding it too but got same error message forbidden 403, so the problem seem to be exactly with firewall setup for ingress traffic.

In google cloud, for my cloud run container i specified option Allow internal traffic and traffic from Cloud Load Balancing for Ingress traffic, and for Authentication - Allow unauthenticated invocations.

You can try creating [app engine specific firewall rules](https://cloud.google.com/appengine/docs/flexible/go/creating-firewalls) along with VPC firewall rules, if that doesn’t work out, share more details about the firewall rules you built up and which ports and protocols you allowed in them. — Anant Swaraj, Aug 31 '21 at 13:12
@AnantSwaraj App engine specific firewall rules does not help. — Grigory, Sep 03 '21 at 04:54
Rapid API’s official [sub-page](https://docs.rapidapi.com/docs/firewall-ip-security#section-list-of-ip-adresses-used-by-rapidapi) containing information on which firewall IP addresses to add is unavailable at the moment. Maybe some update from their end is due. You can put '0.0.0.0/0' in source IP of the firewall rules you created, this will cover all the IPs, or you can wait till their subpage comes back with updated information. — Anant Swaraj, Sep 06 '21 at 09:48
What exactly are you trying to control here? Access to the API entirely i.e. allow only whitelisted addresses? Or allow only authenticated invocations of the api? (while it remains public) — Jeremy Savage, Sep 09 '21 at 12:46
I don't want public access to cloud run invoke at all. Only allow requests from rapid api(so that is some kind of whitelist i guess). I tried achieve this using service account but don't found any settings for that on rapid api side. — Grigory, Sep 09 '21 at 12:53
Has anyone ever figured this out? I'm still struggling to get this set up. — Michael C., Sep 28 '22 at 10:13

KrustyHack · Answer 1 · 2022-11-21T09:01:08.350

Ay,

A little late but from what I understand we can :

use the Rapid API header (X-RapidAPI-Proxy-Secret) to validate that the call is from RapidAPI (https://docs.rapidapi.com/docs/firewall-ip-security#firewall-settings) from our Cloud Run instance
implement an IP restriction (https://docs.rapidapi.com/docs/firewall-ip-security#list-of-ip-addresses-used-by-rapidapi) at the Cloud Run level by setting our Cloud Run instance (https://cloud.google.com/run/docs/securing/ingress#settings) to accept only requests coming from a Google load balancer (c.f : "Internal and Cloud Load Balancing"). It will then be possible to attach IP restriction rules to the load balancer through Cloud Armor I think.

Rapid API and GCloud Run integration. Firewall setup

1 Answers1