Search code examples
google-cloud-platformload-balancing

Deny direct access to Google Cloud Run/Functions and allow via Loadbalancer

I would like to deny direct access to Cloudfunctions with their default URL as:

https://europe-west1-helloworld.cloudfunctions.net/function-name

And only allow access via GCP Load balancer

I would expect creating some kind of service-account which would be used by Loadbalancer when accessing the Functions/Run containers, but it is not possible to assign any.

My current state is:

  1. When I assign allUsers in Cloud Functions's permissions, I can access it both directly and via LB.
  2. When I remove the allUsers, I cannot access them neither directly, neither via LB.
Solution

  • You can achieve this by deploying, or editing your cloud functions and configure the "connection" section. Here, set the ingress option to accept only connection coming from internal VPC network (and shared VPC and VPC SC) and Load Balancer.

    See picture here.

    enter image description here