How to enable Cloud Run using serverless vpc connector to restrict traffic to a specific VPC resource only
I am trying to set up Cloud Run (nodeJs app, code is below) to privately connect to Memory store instance. I've followed this Google Article to create a Serverless VPC Access Connector. Making sure I created the connector in the same region as Cloud Run app, and that the connector is attached to the Redis instance's authorized VPC network.
Memorystore is isolated in a VPC with a private range address.
Nodejs app code is shown below.
const {createClient} = require('redis');
getClient() {
const client = createClient({
socket: {
host: process.env.REDIS_HOST
},
password: process.env.REDIS_PASS
});
client.on('error', (err) => {
throw Error(`redis client error: ${err}`);
});
return client;
}
Google doc states that a firewall rule is created to allow ingress from the connector's subnet to all destinations in the VPC network. This is against my company's security policy as we have other services in this VPC (VM's, GKE instances etc). So I need to restrict connector to be able to reach all destinations in VPC network. Is there a preferred way of achieving this?
Earlier in 2021, Google Cloud made it possible for CloudRun serverless vpc connector to use the allow and target-tags flags to create an ingress firewall rule. It allows targeting the traffic only to a specific resource with in VPC.
Google doc states that a firewall rule is created to allow ingress from the connector's subnet to all destinations in the VPC network. This is against my company's security policy as we have other services in this VPC (VM's, GKE instances etc). So I need to restrict connector to be able to reach all destinations in VPC network. Is there a preferred way of achieving this?
Create a firewall rule and set the priority for this rule to be a lower value than the one you created in the previous step.
gcloud compute firewall-rules create RULE_NAME \
--allow=PROTOCOL \
--source-tags=VPC_CONNECTOR_NETWORK_TAG \
--direction=INGRESS \
--network=VPC_NETWORK \
--target-tags=RESOURCE_TAG \
--priority=PRIORITY
Hope it resolves your issue.
- How to set a custom uid inside firebase authentication
- Where is the "user created" event on Firebase Functions V2?
- Why does Google Cloud Storage freeze when I try to upload a large folder (2.5GB of images)?
- How to get a GCP identity-token programmatically with python
- How to route dead letter messages back to the original topic?
- Unable to delete collection from the firestore console
- Is there an API to list all google compute regions
- Error "address already in use" when trying to connect to google cloud SQL using cloud-sql-connector
- In Google Cloud console, safe to grant Firebase Admin SDK role to default compute service account?
- Docker connection issues on Compute Engine
- Generate CSR using the private key store on Google HSM
- download file from google cloud compute instance
- Does Cloud Run supports HTTP streaming?
- Create a dashboard graph with data points in logs
- Getting "Configuration is not authorized" error while deploying GCP Vertex AI Agent on App Engine
- Firebase: maintain user lookup table in GCP
- How to properly assign publisher and subscriber roles to a dead-letter topic using terraform
- Stuck on complying with domain verification requirements
- BigQuery Arrays - check if Array contains specific values
- Which GPU should I use on Google Cloud Platform (GCP)
- Unable to upload file to gdrive using gdrive api with service account
- Persistent Disk SSD (GB) quota related to ZONE_RESOURCE_POOL_EXHAUSTED?
- The location for this project is already set to another value In firebase Storage console
- Error 400: invalid_request for iOS google Sign in
- Handling a Cloud Run container shutdown
- Stripe Error: No signatures found matching the expected signature for payload
- What are the implications of using the select() query on a large Firestore doc versus splitting the data between multiple docs?
- VueJS + Firebase How do I display an image?
- BigQuery Policy Tags: possible as infra as code?
- Sending test events using curl to gcp subscription got 502 error