ADVERTISEMENT

Only allow connection to GCP Compute Engine VM originating from Cloud Run service

Solution 1:

Cloud Run (fully managed) services do no get static IPs that could be whitelisted. In addition, have a look at the documentation Services not yet supported:

The following table lists services that are not yet supported by Cloud Run (fully managed). Note that Cloud Run for Anthos on Google Cloud can use any service that Google Kubernetes Engine can use.

cloud_run_managed

So, as you can see there's no easy way to connect service running on Cloud Run (fully managed) and your VPC network.

Some workarounds to get external IP for your service in Cloud Run (fully managed):

  1. create a SOCKS proxy by running a ssh client that routes the traffic through a GCE VM instance that has a static external IP address like in this example

  2. send outbound requests from Cloud Run (fully managed) through a proxy that has a static IP, example in Python below:

import requests
import sys
from flask import Flask
import os

app = Flask(__name__)

@app.route("/")
def hello():

    proxy = os.environ.get('PROXY')
    proxyDict = { 
                "http": proxy,
                "https": proxy
                }
    r = requests.get('http://ifconfig.me/ip', proxies=proxyDict)
    return 'You connected from IP address: ' + r.text

With the PROXY environemnt variable containing the IP or URL of your proxy (see here to set an environment variable )

For this proxy, you can either:

  • create Compute Engine VM with a static public IP address running Squid, this likely fits in the Compute Engine free tier.
  • use a 3rd party service that offers a proxy with static IP

EDIT Have a look at the Google Public Issue Tracker Feature Request and feel free to join, comment and track progress.

Solution 2:

You can configure Serverless VPC Acces to connect Cloud Run with Compute Engine VM, updated Sep 2020. https://cloud.google.com/vpc/docs/configure-serverless-vpc-access