Using GCP API Gateway to front a Cloud Run backend with private ingress

About

Asked 15/12, 2020 at 19:45 Answered 15/12, 2020 at 21:12

Solved google-cloud-platform google-cloud-run google-vpc google-cloud-api-gateway

I'd like to front my Cloud Run hosted API with API gateway, and only allow access to the Cloud Run URL from API Gateway.

I currently have an API deployed to Cloud Run with "public" ingress and authorization enabled. This works, however I'm curious if I can change my ingress model on Cloud Run to "internal" in order to entirely avoid routing any internet traffic to my Cloud Run container.

I know API Gateway is in Beta, and it seems like some aspects of internal ingress are Beta as well -- however I'm curious if there is a way to make this work.

Per the ingress docs, it seems like if I can somehow make my API Gateway request come from a VPC network, this setup should work, however I am not able to find a way to make this happen on the API gateway side.

Rubiaceous answered 15/12, 2020 at 19:45 Comment(0)

When you deploy a Cloud Run service with internal only ingress, the requests need to come from the VPC SC or from your VPC.

With API Gateway, you can't plug your VPC or use the service in VPC SC (not a supported service), so you can't, yet.

The team is aware of this issue and should work on it. I don't know the priority and the ETA.

Audet answered 15/12, 2020 at 21:12 Comment(8)

Guillaume, thanks so much for your response, on this, so glad to hear from a first-party source! Just to confirm my understanding -- while not available yet, you're somewhat confident that this will be a supported workflow in the future on API Gateway? It's not the case that it's intentionally not possible because I should not be pursuing this pattern to begin with? – Rubiaceous 15/12, 2020 at 21:30

For API Gateway, it's not suitable to not be connected to VPC. You are talking about Cloud Run private ingress, but the issue is the same with VM without public IP and with internal load balancer. The update will come, I don't know when, but it's mandatory for this product! – Audet 15/12, 2020 at 22:14

That definitely makes sense. Would you suggest some kind of intermediate service (perhaps a Cloud Load Balancer) to get by in the interim, or sticking to publicly available resources? – Rubiaceous 15/12, 2020 at 22:50

I recommend you to use public resources with the correct authorization to protect your Cloud Run. If you add an additional layer like a Load Balancer, it will be more expensive, it will take time to set up and to remove when the feature will be released. – Audet 16/12, 2020 at 8:18

Two years after, is there any update on this feature? @guillaumeblaquiere – Clipper 27/6, 2022 at 10:11

PubSub, Eventarc (which is based on PubSub) and Cloud Workflow are now compliant with ingress. Nothing more. I don't know it's taking so much time to add services. cloud.google.com/run/docs/securing/ingress#internal-services – Audet 27/6, 2022 at 12:10

Same problem here, trying to figure out how this communication can work between Cloud Run & API Gateway. – Tanaka 6/8, 2022 at 7:48

Nothing from API Gateway for now. I had the team months ago, and then, no signal. I don't know what is the status/strategy around API Gateway, but no new feature or update for a while, it's strange. – Audet 6/8, 2022 at 18:55

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags