We currently have a VPC named ABC which contains various instances which we can reach through a dedicated VPN tunnel from our corporate network and everything there has been working fine for well over a year.
We are now wanting to run some containers within Cloud Run. I have deployed our container and by switching the Ingress Control to All I am able to reach the URL and hit the endpoint that our container is serving up. We don't want our container to be publicly accessible so we want to restrict access to the corporate network. I have created a VPC connector ABC-Conn to connect to ABC with a Subnet or 10.8.0.0/28 (default). What I cannot figure out is how to from my desktop on how to reach the service being served up by Cloud Run. Whenever I try to hit the URL I get a 403 which I am suspecting that means I am not going through our corp VPN tunnel but rather straight out to the internet to hit the service. I am assuming its something to do with the routing and I do see a route for 10.8.0.0/28 with a priority of 0 but obviously that isn't enough
the VPC Connector is only for egress traffic and is used to enable de Cloud Run to consume resources on the VPC by the private IP. Is not necessary in your use case.
In your scenario, you want to consume in a private way the Cloud Run you have two options:
The first solution is to set up an Internal Load Balancer in front of the Cloud Run, follow this guide:
Set up Private Google Access with your onPrem networks. For this option, if the VPN is in a different project than the Cloud Run you need to implement a VPC Service Control
I recommend option 2 because is a secure way and is valid for other GCP resources in the future.