Observing weird behaviour with Cloud Run Static Egress IP

Google Cloud Serverless Applications
1

My use case is mentioned below

  1. From within the Cloud Run service i need to make external 3rd API calls to public API vendors that don’t need whitelisting.

  2. At the same time i have 1 specific paid 3rd party vendor that needs to whitelist my external Cloud Run static IP.

In summary i need to satisfy both the above conditions.

I configured static egress IP by following the official documentation page by using a serverless VPC connector (not direct VPC egress which is in Preview) and below is the behaviour i am observing. I don’t see any logs in Cloud NAT (not sure if this requires some logs to be enabled)

  1. With “only requests to private IPs” option enabled all external API calls are working but IP whitelisting to my 3rd party API vendor doesn’t work.
  2. With the 2nd option related to “allow VPC traffic” all external API calls including the specific 3rd party API that needs whitelisting are failing. I need to check if there is a route to the internet which i am assuming should exist.

Screenshot 2024-01-23 at 9.07.38 AM.png
Screenshot 2024-01-23 at 9.07.38 AM.png856×232 15 KB

Sometimes I feel Google Cloud Platform is overly complicated to work with :slightly_smiling_face:

1 Like
2

Looks like i found my answer and it seems like a bug with gcloud command. By the way official documentation is missing the steps to setup GCP resources from the console (only TF and gcloud steps exist). The defect though is that when you configure NAT ip range from gcloud it does not take the secondary ip range for the subnet into consideration while the same thing from console takes both primary and secondary IP range of the subnet into account as you can see from the images below.

NAT_Config_via_console.png
NAT_Config_via_console.png533×202 7.72 KB

NAT_Config_via_gcloud.png
NAT_Config_via_gcloud.png444×209 12.8 KB

3

Waiting for someone from Google Staff to validate my findings and then accept as solution.

4

My apologies it seems to be a documentation bug rather than a gcloud option. The option to add subnet IP ranges (both primary and secondary) is --nat-all-subnet-ip-ranges but the option mentioned in the documentation is --nat-custom-subnet-ip-ranges which only refers to primary IP range of the subnet.