How to hide my public microservices from everyone except the api gateway?

Question

I have containerised services deployed on google cloud run. The application consists of a few microservices and one api gateway. As google cloud run provides public endpoints, all my microservices are public. I want to only make the api gateway public and the rest of the services should only be accessable via the gateway as a reverse proxy. How can I hide the microservices from public eye? Requests coming from anywhere except the api gateway should be rejected.

Answer 1

You can add an API gateway in front of your microservice and activate the security on the microservice.

Only the gateway will be authorized to access to your microservice, all the other request, even if the endpoint is public will be discarded by Google Front End (I mean, it's a Google layer, and you pay nothing more for this).

As API Gateway, you can, for example use cloud endpoint. I wrote an article on this to access to secure backend with a simple API Key. In you case, you can deactivate the API key security and you will have a public API Gateway and only the gateway will be able to reach the private services

EDIT

In your case, you don't need API key in your case. Simply remove the security definition (at the end of the file) and don't put security: definition in the backend definitions (or globally).

Then

• Deploy Cloud Endpoint on a public Cloud Run. This URL is public and anyone can reach it, without API key
• Deploy your backend services (Cloud Run, Cloud Functions) in private mode (AppEngine behind IAP). This time this services can be reached ONLY by an authenticated AND authorized account.
• Grant the Cloud Endpoint service account to reach the backend services (cloud function invoker for Cloud Functions, Cloud Run invoker for Cloud Run, IAP web secure access for AppEngine)

At the end, only the Cloud Endpoint service account is authorized to reach your backend.