google-cloud-platformgoogle-cloud-rungoogle-vpcgoogle-nat-gateway

GCP CloudRun - Add NAT Gateway or Internal Service Ingress All?


In CloudRun:

public-service needs to talk to internal-service and the internet

internal-service talks to the internet

Option1: Ideally, internal-service has ingress as internal, but in doing so, public-service requires a vpc-connector for all-traffic, which means it also needs a NAT gateway added.

Option-2: Alternatively, internal-service can have ingress as all and --no-allow-unauthenticated.

Option-1 looks a bit complex. What is recommended? What are the security risks to Option-2?


Solution

  • Your VPC contain a default route that forward the traffic to the internet if no IP match in your VPC

    enter image description here

    Therefore, you don't need a Cloud NAT. Cloud NAT is useful if you want to go to the internet with a static and your own IP, not with a shared and random IP.

    Option 1 is the best, without cloud nat overhead.


    EDIT 1

    I was sure that the default internet route wasn't delete-able. Thanks to your comment, I checked and.... no, you can delete it. Only the priority 0 rules aren't removable.

    But that also means you can recreate it, like that

    gcloud beta compute routes create default-to-internet \
     --network=default --priority=1000 --destination-range=0.0.0.0/0 \
     --next-hop-gateway=default-internet-gateway
    

    Stay on the option 1 ;)