3

I am developing a solution where a Java application hosted on GKE wants to make an outbound HTTP call to a cloud function which is deployed under a different GCP project, where the GKE operates on a shared network of which possesses firewall rules for the CIDR ranges in that shared network.

For example - GKE cluster & Application deployed under GCP Project A, wishes to invoke a Serverless GCP Function deployed to project B.

There are a number of firewall rules configured on the shared network of which the GKE is operating upon, causing my HTTP call to time out, as the HTTP trigger URL is not mapped to an allowed CIDR range (in that shared network).

What have I tried?

I have lightly investigated one or two solutions which make use of Cloud NAT & Router to proxy the HTTP call to the Cloud Function trigger endpoint, but I am wondering if there are any other, simpler suggestions? The address range for cloud functions is massive so allowing that range is out of the question.

I was thinking about maybe deploying the cloud function into the same VPC & applying ingress restrictions to it, would that allow the HTTP trigger to exist in the allowed IP range?

Thanks in advance

JordC1995
  • 57
  • 7

1 Answers1

1

Serverless VPC Access is a GCP solution specially designed to achieve what you want. The communication between the serverless environment and the VPC is done through an internal IP address, and therefore never exposed to the Internet.

For your specific infrastructure, you would need to follow the guide Connecting to a Shared VPC network.

Gabriel Robledo Ahumada
  • 1,542
  • 2
  • 14
  • Interesting, thanks for the answer. I initially associated serverless VPC connectors with egress behaviour, not ingress. Although this documentation seems to suggest otherwise. The solution I ultimately adopted was a load balancer mapping to a network endpoint group with a static IP. I then added that static IP & port 80 to the allow list of the firewall rules. This solved my issue. – JordC1995 Oct 05 '22 at 08:51