1

Trying to wrap my head around the best practices when it comes to having multiple cloud run services talking to each other.

Say that I have public-service that is a HTTP API that is unauthenticated and fully available to the internet. There's also a service called private-service that is running in the same region/project.

public-service has an end point GET /hello that does a request to private-service when triggered. This request will be done using a regular HTTP client server to server.

If I configure private-service to be publically accessible the above communication works fine. But I'm wondering if the request would be done inside the same network or will it be counted as egress/ingress?

Would it be better to set up a VPC and configure the private-service to only accept internal connections? I currently have no need to talk with other services apart from other cloud run services.

nbon
  • 2,735
  • 2
  • 16
  • 15

1 Answers1

2

For your first question, if you are in the same region, you have no egress. Egress counts when you go outside of the Google datacenter.

For the private service, because it is private, it's better to keep it private. You have 2 options:

  • Use identity
  • Use network

If you use network, you can set the ingress of your private service to internal to accept only traffic from your VPC.

To allow the public service to send traffic to the VPC (and reach the private service) you have to plug a serverless VPC connector with egress set to all.

In that case, if you trust the resource in your VPC (and it's not a good idea!) you can let the private service "publicly accessible" (here public mean open to the VPC only

If you prefer using identity (and it's a better idea!), you can set your private service as private (required authentication) and grant only the public service service account the permission to invoke your private service

The trick here is you have to add in the header of your request sent to the private service, an authorization header with the identity token of the service account as bearer, explained here

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • Thx @guillaume-blaquiere! Some follow up questions: For "Use network", can I use the default VPC or should a new one be created? And will "egress set to all" mean that all outbound traffic goes to the VPC, even calls to things outside of GCP? For "Use identity", I guess there so need to set up a VPC for this use case? I definitely prefer to not have to set up a VPC for this – nbon Apr 25 '23 at 09:57
  • No VPC for the identity. You don't trust the network in that case, but the identity (the recommended way according to Google). You can use any VPC in your project, not only the "default". And yes, you have to set egress to all, because your private service is exposed publicly, with a public IP/DNS to access it. Because of that, your VPC connector must catch the private AND the public IPs, to route it through the VPC and be authorized by your private service. – guillaume blaquiere Apr 25 '23 at 12:12
  • To sum up, you need a serverless VPC connector to access a private service from another service? Without it you cannot access a private service? – Ayhan APAYDIN Aug 04 '23 at 01:30