Cloud run egress traffic

Google Cloud Serverless Applications
1

Hi everyone!!

I’m working with Cloud run service and I have following situation:

  1. Cloud Run Services A has configured a Serverless VPC Access Connector routing all traffic through it.

  2. Cloud Run Service A should call an external API, for example Facebook or some Broker for payments.

Due to I have configured to route all traffic through VPC Connector, also requests for these external Service are routed through connector?

I’m asking because the charges increase if I have more egress traffic through connector and in this cases I would not want that traffic passing through it.

2

Hi - yes, if you configure all traffic to be routed through the connector,
that includes traffic to public IPs.

3

Hi again!

The scenario I want to achive is the following:

  1. When a cloud run service needs send a request to other cloud run service, traffic should go through connector.

  2. When a cloud run service needs send a request to a public external ip, traffic shouldn’t go through connector.

How I can configure cloud run service in order to have this behavior?

4

What you’re asking for makes sense, but unfortunately it’s not possible to
configure Cloud Run that way.

5

Thank you Knet!

Ok, It’s clear, just last question about cloud run egress traffic. In this documentation: https://cloud.google.com/run/docs/securing/private-networking#from-gcp-serverless , point 2 has 2 option in order to configure egress traffic, what is the purpose of option b, I mean, what I will reach with such configuration.

Thanks in advance!

6

Hi, with option b, once your request is in the VPC network, it will be
routed according to how the network is set up, respecting firewall rules,
routes, Cloud NAT configuration, etc. You can use Cloud NAT to get a static
egress IP for your service, for example.

Karolina Netolicka
Product Manager, Serverless

7

Hi @knet I had this exact same requirement a week ago. I followed the setup mentioned on this page (by the way documentation seems out of date since there is an option to configure this via GCP console also in addition to gcloud and TF) and I found that whitelisting my CR service (with the static egress IP) didn’t work. I tried doing the same from the console and i selected primary IP and subnet IP radio button by luck :slightly_smiling_face: and it started working. Upon comparing what the gcloud from documentation did and the GCP console i found that gcloud Cloud NAT used the wrong option (only primary IP selection associated with the subnet) and hence failed. It would be nice to mention the data path that egress traffic takes. I am assuming it is GCE VM (from serverless vpc connector) → uses secondary subnet?? → Cloud Router → Cloud NAT → Egress IP.