CODEWITHSUNDEEP
google-app-enginegoogle-cloud-platformgoogle-cloud-functionsgoogle-cloud-run
David Martins
David Martins

Reputation: 63

Use a fixed public IP (to whitelist) on GCP Cloud Run / Function

I'm looking at the best way to deploy an app to GCP. This app neeeds to use a microservice (running on Cloud Run or Cloud Function) to execute SQL code on distant database.

Basically, the microservice received a piece of SQL code, and needs to execute it on a distant database. For security reasons, the distant database will have to whitelist the IP address that the app will use to connect to it.

On GCP, what would be the best way to have a fixed, public IP address, that a distant DB can whitelist ? Considering that I want to use Cloud Run or Cloud Function.

NB : I'm aware of solutions using GKE. Or on AWS, using Lambda + a NAT Instance.

Thanks !

Upvotes: 6

Views: 4580

Answers (2)

jackdbd
jackdbd

Reputation: 5043

There is another option, but it's a bit tricky. You can reserve an external IP address and configure an external HTTP(S) load balancer.

You will need to perform a few steps:

  1. Reserve an external, static IP address.
  2. Create a Google-managed SSL certificate or provide your SSL certificate.
  3. Create a serverless Network Endpoint Group. The load balancer will use this serverless NEG to direct requests to a serverless Cloud Run service. Important: your serverless NEG and your Cloud Run service must be in the same region.
  4. Create a backend service (e.g. a web app deployed to Cloud Run).
  5. Add the serverless NEG as a backend to the backend service.
  6. Create a URL map to route requests to your backend service/s. If you have more than one backend service, you can use host rules to direct requests to different services based on the host name, and you can set up path matchers to direct requests to different services based on the request path.
  7. Create an HTTPS target proxy. This proxy will route incoming requests to your URL map.
  8. Create a global forwarding rule to forward all HTTPS traffic to the HTTPS target proxy.
  9. Connect your domain to your load balancer. Add one or more A records that point to the load balancer's IP address (and wait for the DNS propagation).
  10. Configure security policies with Cloud Armor.

Thanks to Cloud Armor, you can configure deny/allow rules (like IP whitelisting/blacklisting) at the network edge.

See also the codelab Cloud Armor NamedIP List.

Upvotes: 2

guillaume blaquiere
guillaume blaquiere

Reputation: 75715

You have several solutions to achieve this

  • Use Cloud Run on GKE. In this case, you have your VM on your VPC, you know their IP. However, you have several public IP and the IP change if the VM restart. The good pattern is to remove public IP to VM, and to deploy a Cloud Nat for mapping all the egress traffic into a single external (and public) IP.
  • Use Cloud Function. In this case, you have to add an additional component: Serverless VPC Access. This component allow to route the traffic (all or only the private destination IP) originated from the serverless component. Thereby, your request goes through this element and comes into your VPC. Then, as before, configure a Cloud Nat for mapping the external IP into a static and public IP.

Serverless VPC Access works with AppEngine and Cloud Function. Cloud Run should be compliant with it in 2020.

Last alternative: In both case, we use Cloud Nat for going on public internet with a static IP. You can imagine to set up a VPN between your VPC and the On Prem network (where is hosted your database) and like this, you have nothing to whitelist, all the communication are inside the same virtual private network

Upvotes: 6

Related Questions