Google Cloud Functions with VPC Serverless Connector Egress with Cloud NAT not working

2
votes

This is related to the following questions, which are outdated

Currently GCP has VPC Serverless Connector that allows you to route all traffic through a VPC Connector and set up Cloud NAT to get static IP addresses.

I have followed the following guide https://cloud.google.com/functions/docs/networking/network-settings#associate-static-ip using the region us-east4 but external requests from my cloud function always timed out.

I'm not sure this is a bug or I have missed something.

Edit: To make sure I have followed everything, I did all the steps using gcloud, command where possible. These commands are copied from the guides from GCP.

  1. Setting project id for future use
PROJECT_ID=my-test-gcf-vpc-nat

  1. Go to Console and enable billing

  2. Set up a VPC and a test VM to test Cloud NAT

gcloud services enable compute.googleapis.com \
  --project $PROJECT_ID

gcloud compute networks create custom-network1 \
  --subnet-mode custom \
  --project $PROJECT_ID

gcloud compute networks subnets create subnet-us-east-192 \
  --network custom-network1 \
  --region us-east4 \
  --range 192.168.1.0/24 \
  --project $PROJECT_ID

gcloud compute instances create nat-test-1 \
  --image-family debian-9 \
  --image-project debian-cloud \
  --network custom-network1 \
  --subnet subnet-us-east-192 \
  --zone us-east4-c \
  --no-address \
  --project $PROJECT_ID

gcloud compute firewall-rules create allow-ssh \
  --network custom-network1 \
  --source-ranges 35.235.240.0/20 \
  --allow tcp:22 \
  --project $PROJECT_ID

  1. Created IAP SSH permissions using Console

  2. Test network config, the VM should not have internet access without Cloud NAT

gcloud compute ssh nat-test-1 \
  --zone us-east4-c \
  --command "curl -s ifconfig.io" \
  --tunnel-through-iap \
  --project $PROJECT_ID

command responded with connection timed out

  1. Set up Cloud NAT
gcloud compute routers create nat-router \
  --network custom-network1 \
  --region us-east4 \
  --project $PROJECT_ID

gcloud compute routers nats create nat-config \
  --router-region us-east4 \
  --router nat-router \
  --nat-all-subnet-ip-ranges \
  --auto-allocate-nat-external-ips \
  --project $PROJECT_ID
  1. Test network config again, the VM should have internet access with Cloud NAT
gcloud compute ssh nat-test-1 \
  --zone us-east4-c \
  --command "curl -s ifconfig.io" \
  --tunnel-through-iap \
  --project $PROJECT_ID

command responded with IP address

  1. Created VPC Access Connector
gcloud services enable vpcaccess.googleapis.com \
  --project $PROJECT_ID

gcloud compute networks vpc-access connectors create custom-network1-us-east4 \
  --network custom-network1 \
  --region us-east4 \
  --range 10.8.0.0/28 \
  --project $PROJECT_ID

gcloud compute networks vpc-access connectors describe custom-network1-us-east4 \
  --region us-east4 \
  --project $PROJECT_ID
  1. Added permissions for Google Cloud Functions Service Account
gcloud services enable cloudfunctions.googleapis.com \
  --project $PROJECT_ID

PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")

gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member=serviceAccount:[email protected] \
  --role=roles/viewer

gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member=serviceAccount:[email protected] \
  --role=roles/compute.networkUser
  1. There are suggestions I should add additional firewall rules and service account permissions
# Additional Firewall Rules
gcloud compute firewall-rules create custom-network1-allow-http \
  --network custom-network1 \
  --source-ranges 0.0.0.0/0 \
  --allow tcp:80 \
  --project $PROJECT_ID

gcloud compute firewall-rules create custom-network1-allow-https \
  --network custom-network1 \
  --source-ranges 0.0.0.0/0 \
  --allow tcp:443 \
  --project $PROJECT_ID


# Additional Permission, actually this service account has an Editor role already.
gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member=serviceAccount:[email protected] \
  --role=roles/compute.networkUser
  1. Deployed test Cloud Functions

index.js

const publicIp = require('public-ip')

exports.testVPC = async (req, res) => {
  const v4 = await publicIp.v4()
  const v6 = await publicIp.v6()
  console.log('ip', [v4, v6])
  return res.end(JSON.stringify([v4, v6]))
}
exports.testNoVPC = exports.testVPC

# Cloud Function with VPC Connector
gcloud functions deploy testVPC \
  --runtime nodejs10 \
  --trigger-http \
  --vpc-connector custom-network1-us-east4 \
  --egress-settings all \
  --region us-east4 \
  --allow-unauthenticated \
  --project $PROJECT_ID

# Cloud Function without VPC Connector
gcloud functions deploy testNoVPC \
  --runtime nodejs10 \
  --trigger-http \
  --region us-east4 \
  --allow-unauthenticated \
  --project $PROJECT_ID

The Cloud Function without VPC Connector responded with IP address https://us-east4-my-test-gcf-vpc-nat.cloudfunctions.net/testNoVPC

The Cloud Function with VPC Connector timed out https://us-east4-my-test-gcf-vpc-nat.cloudfunctions.net/testVPC

2
google-cloud-platformgoogle-cloud-functionsgoogle-cloud-networking
Hi, have you solved this issue? I've tried for 2 days and still nothing :( stackoverflow.com/questions/64711513/…dev_huesca
Yes, I have, please follow my comments on the answer below, the issue was that the package public-ip doesn't work as expected, you can try other methods to get static IPthammada.ts
It does not matter what I use, the function can't seem to connect to the internet (in my particular case is trying to connect to an ftp server to drop some files)dev_huesca

2 Answers

5
votes

  1. Configure a sample Cloud NAT setup with Compute Engine. Use the Compute Engine to test if your settings for Cloud NAT were done successfully.

  2. Configuring Serverless VPC Access. Make sure you create the VPC connector on the custom-network1 made in step 1.

  3. Create a Google Cloud Function

a.Under Networking choose the connector you created on step 2 and Route all traffic through the VPC connector.


import requests
import json

from flask import escape

def hello_http(request):

    response = requests.get('https://stackoverflow.com')

    print(response.headers)    
    return 'Accessing stackoverflow from cloud function:  {}!'.format(response.headers)

The Region for Cloud Nat, Vpc Connector and Cloud Function is us-central1

4.Test the function to see if you have access to internet:

Accessing stackoverflow from cloud function:  {'Cache-Control': 'private', 'Content-Type': 'text/html; charset=utf-8', 'Content-Encoding': 'gzip', 'X-Frame-Options': 'SAMEORIGIN', 'X-Request-Guid': 'edf3d1f8-7466-4161-8170-ae4d6e615d5c', 'Strict-Transport-Security': 'max-age=15552000', 'Feature-Policy': "microphone 'none'; speaker 'none'", 'Content-Security-Policy': "upgrade-insecure-requests; frame-ancestors 'self' https://stackexchange.com", 'Content-Length': '26391', 'Accept-Ranges': 'bytes', 'Date': 'Sat, 28 Mar 2020 19:03:17 GMT', 'Via': '1.1 varnish', 'Connection': 'keep-alive', 'X-Served-By': 'cache-mdw17354-MDW', 'X-Cache': 'MISS', 'X-Cache-Hits': '0', 'X-Timer': 'S1585422197.002185,VS0,VE37', 'Vary': 'Accept-Encoding,Fastly-SSL', 'X-DNS-Prefetch-Control': 'off', 'Set-Cookie': 'prov=78ecd1a5-54ea-ab1d-6d19-2cf5dc44a86b; domain=.stackoverflow.com; expires=Fri, 01-Jan-2055 00:00:00 GMT; path=/; HttpOnly'}!

Success, now you can specify a static IP address for NAT

0
votes

Check if the cloud nat routers were created in the same VPC used by the Serverless VPC Access.

Also check if the Cloud Function is deployed in the same region of the Cloud Routers used by the Cloud Nat.