I am currently setting up a series of cloud functions behind cloud endpoints (ESPv2).
I already secured cloud functions by allowing only authenticated traffic from the cloud run service (like here).
I was wondering if it were possible to also select "internal traffic only" as the ingress setting. I tried but I only get 403s when I enable it.
This option should "only allow traffic from the same project or VPC". The cloud run service is in the default VPC and both the function and service are in the same project.
Edit:
Function works and is available here: https://europe-west1-iota-beta-296214.cloudfunctions.net/api-keys
Accessing it through ESPv2 (Cloud Run) returns a 503 when using a VPC Connector (it works if no connector) https://functions.getiota.fr/auth/jwks
Cloud Run image was built following google's tutorial using a specific service account and VPC Connector (see CLI doc)
Here is an extract of my endpoint service conf:
...
host: functions.getiota.fr
schemes:
- https
produces:
- application/json
paths:
/auth/jwks:
get:
summary: Get the JSON web key set for authentication
operationId: jwks
x-google-backend:
address: https://europe-west1-iota-beta-296214.cloudfunctions.net/api-keys
protocol: h2
...
Edit 2 with workaround:
After following the answer below, everything works fine if the ESPv2 is deployed on cloud run with --set-env-vars=ESPv2_ARGS=--backend_dns_lookup_family=v4only. This option is described here.
I followed with this issue on ESPv2's github: https://github.com/GoogleCloudPlatform/esp-v2/issues/423
To achieve this, you need to add a serverless VPC Connector to your Cloud Run instance that host ESPv2, and to route all the egress traffic to this connector.
gcloud beta run services update <SERVICE ESPv2> \
--vpc-connector projects/<PROJECT_ID>/locations/<REGION>/connectors/<CONNECTOR_NAME> \
--vpc-egress all
Note: the connector must be in the same region as the Cloud Run service. Check the supported region