I have an API launched on a cloud run service in project dev. I don't want to expose the API so I set it's ingress to Allow internal and Cloud load balancing traffic.
I have another cloud run frontend application in a different project. It's connected with a VPC connector to the project's VPC and routes all traffic through the VPC connector.
I want to access the same API service from the previous project so I basically created a VPC Peering between the two projects thinking that traffic to the other project's cloud run service will go through the Peering. It seems not to be the case as my application is still not able to reach the other project's API cloud run service. The frontend service sends the traffic not directly to the cloud run url but it sends it through a server/api request (Using Next.JS API route here for context) so I was of the view that it will go through the VPC connector, through the Peering and find the other project's cloud run url.
Is there something I did wrong here or it's not a setup that's going to work at the moment.
GCP Serverless VPC access connectors and VPC Peering are not transitive by default.
Non transitivity in GCP networking basically means that if we have 3 networks, A,B and C. If network A is connected to B and B is connected to C, it does not mean that A is connected to C. Read more on GCP network peering transitivity here: vpc-peering-docs.
Cloud run does not live on the user or organization's VPC but lives in a separate network (owned by Google). Hence when the network in project A is peered with the network in project B, the connection from the cloud run service becomes a third network and since peering is not transitive, the cloud run network can of course connect to resources in the same project through the serverless access vpc connector but cannot connect to the network in project B even though the two networks are peered.
If you still want to connect your cloud run services in a project to different project services privately, then consider reading this documentation: cloud run authentication. With this method, you can restrict traffic to require authentication using IAM credentials for example.
Credit to John Hanley