I'd like to front my Cloud Run hosted API with API gateway, and only allow access to the Cloud Run URL from API Gateway.
I currently have an API deployed to Cloud Run with "public" ingress and authorization enabled. This works, however I'm curious if I can change my ingress model on Cloud Run to "internal" in order to entirely avoid routing any internet traffic to my Cloud Run container.
I know API Gateway is in Beta, and it seems like some aspects of internal ingress are Beta as well -- however I'm curious if there is a way to make this work.
Per the ingress docs, it seems like if I can somehow make my API Gateway request come from a VPC network, this setup should work, however I am not able to find a way to make this happen on the API gateway side.
When you deploy a Cloud Run service with internal only ingress, the requests need to come from the VPC SC or from your VPC.
With API Gateway, you can't plug your VPC or use the service in VPC SC (not a supported service), so you can't, yet.
The team is aware of this issue and should work on it. I don't know the priority and the ETA.