Back to all videos

Cloud Run Networking explained (Updated!)

By Google Cloud Tech

Cloud ComputingServerless ComputingNetwork SecurityGoogle Cloud Platform
Share:

Key Concepts

  • Cloud Run: A managed, serverless compute platform for running containers.
  • Private Service Connect (PSC): Enables private connectivity between VPC networks without using public IPs. Distinguishes between PSC for Google APIs and PSC Producer Services.
  • Serverless VPC Access Connector: A method for Cloud Run to access resources within a VPC, now superseded by Direct VPC Egress in many cases.
  • Direct VPC Egress: A newer, recommended method for Cloud Run to access VPC resources, offering lower latency and higher throughput.
  • Network Connectivity Center (NCC): A hub-and-spoke model for connecting VPC networks and hybrid environments.
  • Serverless NEG (Network Endpoint Group): Used with Application Load Balancers to expose Cloud Run services.

Ingress Patterns for Cloud Run

The video details two primary ingress patterns for securing Cloud Run services: Private Service Connect (PSC) for Google APIs and PSC Producer Services.

PSC for Google APIs: This method provides private connectivity to Cloud Run services using a global internal IP address within your VPC, accessed via the run.app URL. It avoids reliance on Google-provided BiPs (Bring Your Own IP). However, PSC endpoints do not function across VPC pairing and currently lack support for PSC propagation within Network Connectivity Center (NCC). Implementation requires deploying a PSC endpoint in each VPC needing access, alongside a private DNS zone for run.app and a forwarding zone for hybrid traffic. This is best suited for scenarios where the service is accessed through the default run.app URL.

PSC Producer Services: This approach exposes Cloud Run through an internal regional or cross-regional Application Load Balancer (ALB) utilizing a Serverless NEG. To enable PSC access, a forwarding rule is associated with a service attachment and a PSCNAT subnet. The size of the PSCNAT subnet is determined by the anticipated number of PSC endpoints (a one-to-one mapping). PSC endpoints in other VPCs connect to this service attachment. Crucially, the private DNS zone for the custom domain on the ALB should point to the PSC endpoint’s IP address, not the load balancer’s IP. Like the Google APIs method, PSC endpoints aren’t natively accessible via VPC pairing, necessitating PSC propagation on the NCC hub for access from external workloads. This method is ideal for using custom domain names, controlling project access, and minimizing load balancer IP space consumption by isolating Cloud Run services within “island mode” VPCs.

Egress Patterns for Cloud Run

The video highlights the evolution of egress options, emphasizing the benefits of Direct VPC Egress.

Direct VPC Egress: This newer, recommended feature allows configuring a subnet directly within a VPC for Cloud Run egress traffic. It offers lower latency, higher throughput, and eliminates the overhead associated with Serverless VPC Access Connectors. Cost is based solely on network traffic. Configuration allows for egress of all traffic or only internal RFC1918 traffic. When connected to an NCC hub, this egress traffic can be routed to other VPC spokes, hybrid environments, PSC endpoints (for Google APIs or other services), or the internet.

Additional Cloud Run Networking Updates

Beyond ingress and egress, the video notes two significant updates:

  • Disabling the Default run.app URL: Cloud Run now allows disabling the default run.app URL, enhancing security by restricting access to the service solely through load balancing.
  • Cloud Functions as Cloud Run Functions: Newly deployed Cloud Functions are now built on Cloud Run, meaning all the networking concepts discussed apply to them as well.

Notable Quotes

  • “Cloud Run is a managed compute platform that lets you run your containers no matter the programming language on Google's infrastructure.” – Lauren Price, defining Cloud Run.
  • “You want to control which projects have access to your cloudr run service or you want to reduce the amount of IP space consumed by load balancer components by essentially running your cloudr run services in island mode VPCs.” – Lauren Price, explaining the benefits of PSC Producer Services.

Technical Terms & Concepts

  • VPC (Virtual Private Cloud): A logically isolated section of the Google Cloud network where you can launch Google Cloud resources.
  • BiP (Bring Your Own IP): The ability to use your own IP addresses with Google Cloud services.
  • NEG (Network Endpoint Group): Represents a collection of endpoints to which a load balancer can direct traffic.
  • PSCNAT Subnet: A subnet specifically designated for PSC Network Address Translation, sized based on the number of expected PSC endpoints.
  • RFC1918: A set of IP address ranges reserved for private networks.

Logical Connections

The video progresses logically from outlining the fundamental need for private networking with Cloud Run (due to its infrastructure not residing directly within the VPC) to detailing specific ingress and egress patterns. It then builds upon these patterns by highlighting recent updates that enhance security and functionality. The connection between PSC Producer Services and custom domain names is clearly established, as is the evolution from Serverless VPC Access Connectors to the more efficient Direct VPC Egress. The final point about Cloud Functions being built on Cloud Run reinforces the applicability of all discussed concepts.

Data & Research Findings

The video doesn’t present specific research findings or extensive data. However, it implicitly highlights performance improvements with Direct VPC Egress (lower latency, higher throughput) as a key driver for its recommendation.

Synthesis/Conclusion

The video provides a comprehensive overview of securing Cloud Run services with private networking. The key takeaways are the expanded options for both ingress (PSC for Google APIs and PSC Producer Services) and egress (Direct VPC Egress). Direct VPC Egress is presented as the preferred egress method due to its performance and cost benefits. Disabling the default run.app URL is a valuable security consideration. Finally, the integration of Cloud Functions with Cloud Run means that all these networking concepts now apply to serverless functions as well. The overall message is that Google Cloud has significantly enhanced its private networking capabilities for Cloud Run, offering greater flexibility, security, and performance.

Chat with this Video

AI-Powered

Hi! I can answer questions about this video "Cloud Run Networking explained (Updated!)". What would you like to know?

Chat is based on the transcript of this video and may not be 100% accurate.

Related Videos

Ready to summarize another video?

Summarize YouTube Video