Cloud run service to service requests from within same project still being blocked by Ingress=Internal

0
votes

I have set up nodejs and python cloud run services. The nodejs front end makes calls to the python service, the requests work when ingress=all however when I change to ingress=internal it blocks my service to service requests.

I tried using VPC connector and routing all egress through the VPC connector in the nodejs service however this does not solve the issue.

Am I mistaken about how ingress=internal is supposed to work? I thought it would block anything except requests coming from a service within the same project, which it is.

Any one have any ideas or even where I could find some logs to at least help diagnose the issue?

1
google-cloud-platformcloudgoogle-cloud-runplatformdocker-ingress
Is the 2 services in the same project? Do you have deployed with allow-unauthorized param?guillaume blaquiere
Yes they are both within the same project and yes I deploy with allow-unauthorized allowed.naofficer
What is calling the backend service? The JS in your browser?guillaume blaquiere
Yes, I am making axios requests from React-Redux actionsnaofficer

1 Answers

1
votes

Your issue comes from the origin of your request. you need to be aware of this when you are trying to achieve network configuration.

With your comments I understood that your frontend service serve React-Redux actions in the user browser. Now, print the request flow

User Browser -> Frontend -> User Browser
(Load JS on user Browser)
User Browser -> Backend -> ERROR

Indeed the backend can be reached only by resources connected to the project VPC. In your case, it's the user browser that perform the request and thus you get an error.

The setup that you perform will work in the request flow

User Browser -> Frontend -> (serverless VPC Connector) -> Backend -> (serverless VPC Connector) -> Frontend ->User Browser

That means, the request must all land in a publicly accessible service (here front end) which is connected to the VPC (through the serverless VPC Connector) and then perform a request to internal only services.