In GCP, I have a Cloud Run service 'A' which is in a VPC having subnet IP range 10.0.0.0/24. I have another Cloud Run service 'B' which not connected to any VPC. I have a serverless VPC access which connects to the VPC. This VPC access is configured with IP range 10.8.0.0/28. I then configured the networking in service 'B' with option Connect to a VPC for outbound traffic -> Use Serverless VPC Access connectors and choose the connector. Now when Service 'B' is trying to connect to Service 'A', i see error Error: Forbidden Your client does not have permission to get URL /bka/testa from this server. How do I resolve this?
Networking of service A- enter image description here
Networking tab of service B- enter image description here
Firewall rule for VPC- Ingress firewall rule - Global - 65534 - Apply to all - IPv4 ranges: 10.0.0.0/24 - Ports and protocol: all
Thanks to your comment and your screenshot, let me explain.
You set the service A internal, then, only traffic coming from your VPC (and shared VPC and VPC SC, but it's out of the scope) can reach the service
On your service B, you set a serverless VPC connector and route ALL the traffic to it. It's important because Cloud Run service, even when set "Internal" has a public DNS and the traffic is routed to the public internet to reach it. In your case, the internet traffic past through your VPC first and then reach the internet. Because of that, your traffic is authenticated as coming from your VPC.
Because YES, setting your service internal is just an additional rules on your traffic source check (the traffic must be authenticated as coming from an authorized source). The DNS is still public!
Where is your mistake?
Firstly, a wrong assumption: you use a serverless VPC connector on service A. A serverless VPC connector is ONLY for egress traffic and has no impact on your ingress. (Yet, things are cooking, maybe for S2)
Secondly, don't mix up traffic (network) management like ingress and egress, and application layer management. Also named L4 for network and L7 for application.
In your configuration, even if your network traffic is correctly authenticated (you are coming from your VPC), it's only a L4 validation. If you set your Cloud Run service A private, it required authentication at L7. i.e. check if in the header of the HTTP request you have an "authorization" entry with a JWT bearer token. See more here
If your security is network based (not recommended) you can set your service A public. That means no security check at l7. Keep only the service internal and only L4 check is done.
The problem is: any service, app, stuff having access to your VPC network can use your service without requiring any additional authentication (old DMZ pattern).
Modern security pattern are 0 trust and, whatever the network source, it's the application layer that must accept the request to process it. In other word, you can put your service A with ingress=all traffic as long as you correctly manage the L7 authentication.
