Use a fixed public IP (to whitelist) on GCP Cloud Run / Function

Question

I'm looking at the best way to deploy an app to GCP. This app neeeds to use a microservice (running on Cloud Run or Cloud Function) to execute SQL code on distant database.

Basically, the microservice received a piece of SQL code, and needs to execute it on a distant database. For security reasons, the distant database will have to whitelist the IP address that the app will use to connect to it.

On GCP, what would be the best way to have a fixed, public IP address, that a distant DB can whitelist ? Considering that I want to use Cloud Run or Cloud Function.

NB : I'm aware of solutions using GKE. Or on AWS, using Lambda + a NAT Instance.

Thanks !

Answer 1

You have several solutions to achieve this

• Use Cloud Run on GKE. In this case, you have your VM on your VPC, you know their IP. However, you have several public IP and the IP change if the VM restart. The good pattern is to remove public IP to VM, and to deploy a Cloud Nat for mapping all the egress traffic into a single external (and public) IP.
• Use Cloud Function. In this case, you have to add an additional component: Serverless VPC Access. This component allow to route the traffic (all or only the private destination IP) originated from the serverless component. Thereby, your request goes through this element and comes into your VPC. Then, as before, configure a Cloud Nat for mapping the external IP into a static and public IP.

Serverless VPC Access works with AppEngine and Cloud Function. Cloud Run should be compliant with it in 2020.

Last alternative: In both case, we use Cloud Nat for going on public internet with a static IP. You can imagine to set up a VPN between your VPC and the On Prem network (where is hosted your database) and like this, you have nothing to whitelist, all the communication are inside the same virtual private network