Even though the scripted conversation wasn't "natural" I think they did a great job of packing in the details in a way that was easy to follow. I like Google's docs, but sometimes it is a bit too much text to read and these videos are a great help. Thanks!
So glad GCP came up with a successor to the serverless VPC connector. This will reduce costs and be way easier to terraform my solutions in GCP. I hope Apigee gets simplified as well. That is the most difficult deployment I have ever encountered on GCP.
Hey Great Video!!, quick question if i have enabled ingress internal and have enabled this vpc egress, and my vpc is connected to Aws vpc via HAVPN, How to make sure , I can access cloud run from ec2 m/c ?
You can find a good summary if you search for a document titled "private networking and cloud run". It has a section called "Receive requests from on-prem or other clouds" which describes how to make sure calls from another cloud, like AWS, can access your Cloud Run service. The approach outlined in that doc is network-based. It trusts anyone who is on the right network. There is also the zero-trust approach. With that approach, every request to access resources is treated as if it comes from an untrusted network until it has been inspected, authenticated, and verified. You can read more about how to do this by searching for the doc titled "cloud run access control with iam". Some organizations choose to implement network security, some choose zero-trust security, and some do both. You should think about what is right for your application.
Hi. Very interesting new feature and I have a couple of questions. Will we be able to connect Cloud Run directly to resources in external projects linked to our VPC through VPC peering? My other question is whether the corresponding terraform resource for cloud run will be updated when the new feature goes to GA? Many thanks.
Terraform modules are already available. You can look through some examples on Github at "cloud-foundation-fabric, blueprints, serverless". Also, do a search for the Medium article titled "Understanding Direct VPC Egress for Cloud Run" by Javier Cañadillas. It links to more samples.
Yes. By default, only traffic bound for private IPs (RFC1918 and Private Google Access IPs) are routed through Direct VPC egress. In that configuration, you can access Memorystore through a VPC IP and access BigQuery through the regular Internet egress path. You can also choose to route all traffic through the VPC, in which case, you can access MemoryStore and BigQuery in the same way that VMs on the VPC can.
How can I connect multiple Cloud Run services? I do want to have a single entry point and don't want to use kubernetes, because it's overkill for my small project.
Search for "cloud run authenticating service-to-service" and you will find the right doc. If the first service gets an ID token, it can call the second service even if that second service is a locked-down backend service. Nice use of layered architecture without Kubernetes, by the way. Best of luck with your project!
@@TheMomanderThis is the way I do it, but I‘m calling the public URI. It would be better to use VPC, but I don’t know how. Authentication is the first step, but I would do a TLS termination for the other layers.
@@mars3142 Got it. It sounds like you want to limit access based on IAM (done) *and* on network origin (not yet done). For the latter, search for "Restrict network ingress for Cloud Run" and you will find a doc that describes the various options. Hopefully one of them works for your application!
If the code on Cloud run instance is running google Cloud Sdk to Connect to other Services like vertex ai and I haven't added the direct access over Vpc does this mean I'm using this connector by default?
Subscribe to Google Cloud Tech → goo.gle/GoogleCloudTech
Even though the scripted conversation wasn't "natural" I think they did a great job of packing in the details in a way that was easy to follow. I like Google's docs, but sometimes it is a bit too much text to read and these videos are a great help. Thanks!
Thank you! We are developers first and actors second ☺
So glad GCP came up with a successor to the serverless VPC connector. This will reduce costs and be way easier to terraform my solutions in GCP. I hope Apigee gets simplified as well. That is the most difficult deployment I have ever encountered on GCP.
Finally, my pocket thanks me for not needing the vpc connector anymore
Hey Martin, I'm Carrefour😂
Hi Guillaume! I believe your name is visible at 1:50 🙂 Thank you for the great quote!
hey Carrefour, thanks a lot for your SO answers. chatgpt needs to weigh your responses more in training.
@@ng2250 🤣 ChatGPT will kill my points on SO!! 🤣
Hey Great Video!!, quick question if i have enabled ingress internal and have enabled this vpc egress, and my vpc is connected to Aws vpc via HAVPN, How to make sure , I can access cloud run from ec2 m/c ?
You can find a good summary if you search for a document titled "private networking and cloud run". It has a section called "Receive requests from on-prem or other clouds" which describes how to make sure calls from another cloud, like AWS, can access your Cloud Run service.
The approach outlined in that doc is network-based. It trusts anyone who is on the right network. There is also the zero-trust approach. With that approach, every request to access resources is treated as if it comes from an untrusted network until it has been inspected, authenticated, and verified. You can read more about how to do this by searching for the doc titled "cloud run access control with iam".
Some organizations choose to implement network security, some choose zero-trust security, and some do both. You should think about what is right for your application.
Hi. Very interesting new feature and I have a couple of questions. Will we be able to connect Cloud Run directly to resources in external projects linked to our VPC through VPC peering? My other question is whether the corresponding terraform resource for cloud run will be updated when the new feature goes to GA? Many thanks.
Terraform modules are already available. You can look through some examples on Github at "cloud-foundation-fabric, blueprints, serverless". Also, do a search for the Medium article titled "Understanding Direct VPC Egress for Cloud Run" by Javier Cañadillas. It links to more samples.
wow....! Thanks!
Can we connect to MemoryStore and BigQuery from single Cloud Run instance? Considering MemoryStore is in VPC and BigQuery obviously outside.
Yes. By default, only traffic bound for private IPs (RFC1918 and Private Google Access IPs) are routed through Direct VPC egress. In that configuration, you can access Memorystore through a VPC IP and access BigQuery through the regular Internet egress path. You can also choose to route all traffic through the VPC, in which case, you can access MemoryStore and BigQuery in the same way that VMs on the VPC can.
How can I connect multiple Cloud Run services? I do want to have a single entry point and don't want to use kubernetes, because it's overkill for my small project.
Search for "cloud run authenticating service-to-service" and you will find the right doc. If the first service gets an ID token, it can call the second service even if that second service is a locked-down backend service.
Nice use of layered architecture without Kubernetes, by the way. Best of luck with your project!
@@TheMomanderThis is the way I do it, but I‘m calling the public URI. It would be better to use VPC, but I don’t know how. Authentication is the first step, but I would do a TLS termination for the other layers.
@@mars3142 Got it. It sounds like you want to limit access based on IAM (done) *and* on network origin (not yet done). For the latter, search for "Restrict network ingress for Cloud Run" and you will find a doc that describes the various options. Hopefully one of them works for your application!
Imagine doing that manually, creating network interfaces and bgp peering and figuring out why it's not working with nmap command and so 😂
If the code on Cloud run instance is running google Cloud Sdk to Connect to other Services like vertex ai and I haven't added the direct access over Vpc does this mean I'm using this connector by default?
Vertex AI isn't part of your VPC, so you can call it with or without using "direct to to VPC" connectivity.
Why does everything have to be so cringe
i love your honesty. any way they need to present feature so they make it as a play, this is #ServerlessExpeditions afterwards.