2

My app uses a Cloud Function (2nd gen), running multiple instances and triggered by PubSub, to make outbound requests to customers sites (essentially for synthetic monitoring).

However, the platform several of those sites are hosted on has bot protection, and I've been told by the company they don't have a way of whitelisting IPs for it, so it would be best if I rotate through IPs (ie a Function selects/is assigned an IP when created).

Cloud NAT seems to be the recommendation for setting up static external IPs, but adding multiple IPs there doesn't cycle through them until they reach TCP connection limits.

Load balancers might have a way to do it, but from what I've found, egress is still routed through Cloud NAT, and uses the IP assigned there.

Is there another way to make requests from Cloud Functions from varying IPs?

ℛɑƒæĿᴿᴹᴿ
  • 4,983
  • 4
  • 38
  • 58
richgilbank
  • 384
  • 2
  • 9

1 Answers1

2

Now that specific Cloud Function using that specific VPC Connector will route its outbound traffic through that specific Cloud NAT Gateway.

You can repeat this process as many times as necessary. To make this work with your Cloud Function you will have to deploy them as multiple Cloud Functions rather than a single Cloud Function. For example, if you presently have a function named myCloudFunction then you would need to deploy it as three separate and distinct Cloud Functions, each using a different configuration:

  • myCloudFunction1 - uses Serverless VPC Connector 1 and Cloud NAT Gateway 1
  • myCloudFunction2 - uses connector 2 and gateway 2
  • myCloudFunction3 - uses connector 3 and gateway 3

You would then need to find a way to load balance the requests across those three functions, for example with another Cloud Function whose job it is to send the request through those functions. My recommendation would be something like:

  • myCloudFunction - your original function but instead of connecting to your ultimate destination you round-robin connect to one of the three Cloud Functions as a proxy server
  • myProxyFunction1 - a simple HTTP proxy that just forwards the request along, same config as myCloudFunction1 above
  • myProxyFunction2 - same config as myCloudFunction2
  • myProxyFunction3 - same config as myCloudFunction3
anothermh
  • 9,815
  • 3
  • 33
  • 52
  • Thanks anothermh, I was wondering about doing that but having to produce a Serverless VPC Connector, NAT Gateway, designate a subnet, manually manage load balancing etc seems hugely inefficient and cumbersome (not to mention increasing costs through having multiple connectors in addition to the static IPs). I would have thought this was a common issue, even if for nefarious purposes (ie DDOS bots). – richgilbank Apr 13 '23 at 17:58
  • It's not really what Cloud Functions are intended for. It's much easier to create a Compute Engine VM as a proxy server and assign it multiple static IPs and have your single Cloud Function route its requests out through that single server. My answer assumed you needed to maintain a pure VPC/Serverless implementation. My advice would be to use a VM as a proxy instead. (one instance running vs one instance per NAT and one instance per connector and their accompanying complex configs) – anothermh Apr 13 '23 at 19:47
  • Well, after some back and forth with GCP team members, it seems the best options truly are to either a) deploy multiple instances of the same function, each networked to a different IP or b) to route all outbound requests through Compute Engine and have it route traffic through one of the several networks it's connected to. Was hoping there was another way, but looks like you're 100% right @anothermh. Thanks! – richgilbank Apr 25 '23 at 12:40
  • I'll warn you that using CE for the task is not easy. You cannot bind directly to an external IP; external IPs are assigned to a *NIC* and you're only permitted one NIC per VPC. The only workaround is to create a separate NIC for each external IP you want and a separate VPC for each NIC. They limit you to 1 NIC per vCPU so if you need 8 different external IPs then you need an 8 vCPU instance, 8 VPCs, 8 internal subnets, 8 internal IPs (one per subnet), and then you need to figure out how you want to handle that routing. More at https://cloud.google.com/vpc/docs/create-use-multiple-interfaces – anothermh Apr 25 '23 at 16:01