Why is the Cloud Run URL still accessible after API Gateway applied?

Question

I applied Google's API Gateway using an opeanapi yaml file as the configuration, and received a new gateway URL.

My question is what is the point of the gateway if the original Cloud Run URL is still accessible?

I can make the exact same Postman calls to the gateway URL and the Cloud Run URL e.g https://gateway.api.url.google.com/orders and https://cloud.run.url.google.com/orders.

My assumption (and hope) is that the gateway URL is now the primary URL and any requests to the Cloud Run URL gets routed to the API Gateway. Can anyone shed any light on this?

Answer 1

API Gateway is simply a portal (a gateway in fact) that comes in front of one or several API. The target of an API Gateway is to centralize the APIs endpoint, from different backends, in one place and to offer a consistent experience to the consumer (security, domain name, ...)

The API Gateway comes in front of several backends but in any case change the behavior of these backend. So, they are still accessible directly AND through the API Gateway.

---

If you don't want this, I can propose you 2 solutions

1. Set your Cloud Run service private (I mean deploy it with --no-allow-unauthenticated param, or delete the allUsers access persmission). Like this, only the authenticated requester can access it. In API Gateway, set a custom service account, and grant ONLY this service account the role roles/run.invoker. At the end, only the API gateway will be able to call the Cloud Run service. All direct call, authenticated or not, will be rejected because only API Gateway is authorized to access to it.

2. If you don't have special feature in your API Gateway OpenApi configuration, you can use a HTTPS Load balancer in front of your Cloud Run services instead. And set the Cloud Run ingress param to internal-and-cloud-load-balancing