What are the outbound IP ranges for GCP managed Cloud Run?

13
votes

I'm developing an app using GCP managed Cloud Run and MongoDB Atlas. If I allow connection from anywhere for IP Whitelist of Atlas, Cloud Run perfectly works well with MongoDB Atlas. However, I want to restrict connection only for necessary IPs but I cloud't find outbound IPs of Cloud Run. Any way to know the outbound IPs?

4
google-cloud-run
there's a way to assign static IPs to Cloud Run now. Updated my answer. - Ahmet Alp Balkan

4 Answers

10
votes

Update (October 2020): Cloud Run has now launched VPC egress feature that lets you configure a static IP for outbound requests through Cloud NAT. You can follow this step by step guide in the documentation to configure a static IP to whitelist at MongoDB Atlas.

Until Cloud Run starts supporting Cloud NAT or Serverless VPC Access, unfortunately this is not supported.

As @Steren has mentioned, you can create a SOCKS proxy by running a ssh client that routes the traffic through a GCE VM instance that has a static external IP address.

I have blogged about it here: https://ahmet.im/blog/cloud-run-static-ip/, and you can find step-by-step instructions with a working example at: https://github.com/ahmetb/cloud-run-static-outbound-ip

6
votes

Cloud Run (like all scalable serverless products) does not give you dedicated IP addresses that are known to be the origination of outgoing traffic. See also: Possible to get static IP address for Google Cloud Functions?

3
votes

Cloud Run services do no get static IPs.

A solution is to send your outbound requests through a proxy that has a static IP.

For example in Python:

import requests
import sys
from flask import Flask
import os

app = Flask(__name__)

@app.route("/")
def hello():

    proxy = os.environ.get('PROXY')
    proxyDict = { 
                "http": proxy,
                "https": proxy
                }
    r = requests.get('http://ifconfig.me/ip', proxies=proxyDict)
    return 'You connected from IP address: ' + r.text

With the PROXY environemnt variable containing the IP or URL of your proxy (see here to set an environment variable )

For this proxy, you can either:

  • create it yourself, for example using a Compute Engine VM with a static public IP address running squid, this likely fits in the Compute Engine free tier.
  • use a service that offers a proxy with static IP, for example https://www.quotaguard.com/static-ip/ that starts at $19/m

I personally used this second solution. The service gives me a URL that includes a username and password, that I then use as a proxy using the code above.

1
votes

This feature is now released in beta by the Cloud Run team:

https://cloud.google.com/run/docs/configuring/static-outbound-ip