GCP CloudRun - Add NAT Gateway or Internal Service Ingress All?
In CloudRun:
public-service needs to talk to internal-service and the internet
internal-service talks to the internet
Option1: Ideally, internal-service has ingress as internal, but in doing so, public-service requires a vpc-connector for all-traffic, which means it also needs a NAT gateway added.
Option-2: Alternatively, internal-service can have ingress as all and --no-allow-unauthenticated.
Option-1 looks a bit complex. What is recommended? What are the security risks to Option-2?
Your VPC contain a default route that forward the traffic to the internet if no IP match in your VPC
Therefore, you don't need a Cloud NAT. Cloud NAT is useful if you want to go to the internet with a static and your own IP, not with a shared and random IP.
Option 1 is the best, without cloud nat overhead.
EDIT 1
I was sure that the default internet route wasn't delete-able. Thanks to your comment, I checked and.... no, you can delete it. Only the priority 0 rules aren't removable.
But that also means you can recreate it, like that
gcloud beta compute routes create default-to-internet \
--network=default --priority=1000 --destination-range=0.0.0.0/0 \
--next-hop-gateway=default-internet-gateway
Stay on the option 1 ;)
- what is the recommended Cloud Firestore location for Egypt and the middle east countries?
- Permissions For Google Cloud SQL Import Using Service Accounts
- Best Practices for Migrating Docker Images from Google Container Registry (GCR) to Artifact Registry with High Volume of Tags
- GCP Cloud Run: “missing required GoogleAccessID” when generating V4 Signed URL for Cloud Storage
- Flink-BigTable - Any connector?
- Increase gcloud run deploy timeout (NOT request timeout)
- Efficiently storing and getting likes in FireStore / Document DB
- Error 400 invalid JSON Payload Unknown name generationConfig on an AI API Curl command
- Google Cloud Run - Domain Mapping stuck at Certificate Provisioning
- What is the difference between Google Cloud Vision API and Mobile Vision?
- Setting GOOGLE_APPLICATION_CREDENTIALS for BigQuery Python CLI
- BigQuery Transfer Service does not copy rows from S3
- Vertex AI feature store vs BigQuery
- Random Sampling in Google BigQuery
- How to Properly Inject Service Account Credentials in Google Cloud Build for Cloud Run Deployment?
- Read JSON file directly from google storage (using Cloud Functions)
- How to Automatically Renew Let's Encrypt SSL Certificate on All-Inkl DNS and Google Cloud VM (Ubuntu)?
- How to copy a table in Big Query, with primary keys
- How to see "Network Security Address Group" details
- Error: 10: Developer console is not set up correctly (Not Using Firebase) (One Tap sign-up)
- how do I set up cloud run in a shared vpc with direct vpc egress?
- what is the privilege of the Postgres user created by gcp
- Deploy llama on VertexAI
- How to display messages as list in gmail api?
- set log severity on google cloud without using google-cloud-logging library
- Is there a way to check which SA key has been used by a service account for a request?
- Uploading images to Firebase storage returns "Access denied" after some time
- Google Cloud Container Registry/Artifact Registry Permissions
- Generating Cloud Storage Signed URL from Google Cloud Function without using explicit key file
- Fetch columns that match query criteria