0

I have the following setup:

GLB -≥ Serverless NEG -> API GW -> Cloud Run

Is that possible to limit the ingress with the configuration option internal-and-cloud-load-balancing?

I am getting 403. Is there some additional setup necessary?

Documentation claims:

Only supported for Cloud Run (fully managed). Only inbound requests from Google Cloud Load Balancing or a traffic source allowed by the internal option are allowed.

Goal: I want cloud run to be accessible only through GLB -> API GW path.

Any help is appreciated.

jaksky
  • 3,305
  • 4
  • 35
  • 68
  • Can you tell us more about what you're trying to limit through ingress? Kindly update the case with the appropriate details. Thanks! – James S Jan 31 '23 at 17:20
  • @JamesS Added goal. I would like to restrict the ingress setting from all and be reachable publicly. – jaksky Jan 31 '23 at 17:55
  • Are you just trying to have your Cloud Run project accessible through the front end IP address of the Load Balancer? – James S Jan 31 '23 at 19:39
  • For now, API Gateway can't reach ingress=internal services (Cloud Run, Cloud Functions). – guillaume blaquiere Jan 31 '23 at 20:13
  • @guillaumeblaquiere So `internal-and-cloud-load-balancing` doesn't work when GLB - API GW - Cloud Run are chained? Only when GLB -≥ Cloud Run directly? – jaksky Feb 01 '23 at 08:21
  • Yes, correct!!! – guillaume blaquiere Feb 01 '23 at 08:44
  • @guillaumeblaquiere That is so sad – jaksky Feb 01 '23 at 09:45
  • I will be honest. I had a lot of discussion with the API Gateway team a while ago. Since 12 or 18 months, no news, no update, no new features,... It's look like if the project has been set on hold, or abandoned. My immediate feeling is not to bet too much on API Gateway for now. – guillaume blaquiere Feb 01 '23 at 10:18

1 Answers1

0

API Gateway does not support the Internal or Internal and Cloud Load Balancing ingress restriction settings. This is an API Gateway’s behavior, as it is not part of the VPC Network in which the Cloud Run service is located. Only the sources described in the documentation accepts requests for a service with the ingress configuration set to internal or Internal and Cloud Load Balancing which is why the setup GLB > API GW > Cloud Run does not work.

A feature request has been raised for this functionality. To keep track of the status/progress of this feature request, kindly refer to this link and click the +1 button to get notified for further updates

James S
  • 1,181
  • 1
  • 7
  • Well not exactly. API GW access is a separate issue. Seems that when `internal-and-cloud-load-balancing` is set on a cloud run the path from GLB -≥ API GW -> Cloud Run doesn't work and return 403. – jaksky Feb 01 '23 at 08:19
  • Hello @jaksky I updated the answer and the link to the appropriate feature request. Kindly check. – James S Feb 01 '23 at 18:35