API Gateway within VPC network

alex93p · 02-21-2024 05:36 AM

Hi everyone,

I would ask if is it possible to connect a managed API Gateway with a VPC network.

In particular exists a way to route the traffic outbound from the API Gateway to a Cloud Run service in order to protect the cloud run service with the configuration flag "--ingress=internal" ?

Thank you very much!

Magnum

You're absolutely right! Here's a more detailed breakdown of the process specifically tailored for Google Cloud:

Prerequisites

A Google Cloud project with billing enabled.
A VPC network and a private subnet within it.
Basic understanding of Google Cloud services (VPC, Cloud Run, API Gateway, Serverless VPC Access).
Steps

Deploy Cloud Run with --ingress=internal:

Bash
gcloud run deploy SERVICE_NAME --image=gcr.io/YOUR_PROJECT/IMAGE_NAME \
--platform=managed --region=YOUR_REGION --vpc-connector=YOUR_CONNECTOR \
--no-allow-unauthenticated --ingress=internal
Use code with caution.
Replace SERVICE_NAME, IMAGE_NAME, YOUR_REGION, and YOUR_CONNECTOR with appropriate values.
Create a Serverless VPC Access Connector:

Bash
gcloud compute networks vpc-access connectors create YOUR_CONNECTOR \
--region=YOUR_REGION --network=YOUR_VPC_NETWORK --range=YOUR_SUBNET_CIDR
Use code with caution.
Replace YOUR_CONNECTOR, YOUR_REGION, YOUR_VPC_NETWORK, and YOUR_SUBNET_CIDR accordingly.
Create an API Gateway:

Go to the API Gateway console in your Google Cloud project.
Create a new API and give it an appropriate name.
Create a new API Config. Select Open API and provide a specification (if you have one) or define your API's paths manually.
Configure API Gateway Integration:

In the API Config you created, navigate to the "Backend" of a path you want to route to your Cloud Run service.
Select "Cloud Run" as the backend.
Choose the region and the Cloud Run service you deployed earlier.
Importantly: Under "Connectivity", select "Serverless VPC Access Connector" and choose the connector you created.
Deploy API Gateway Config:

Once the API Config is ready, deploy it. You'll get an API Gateway endpoint.
Example Code Snippet (YAML)

If you're using YAML to define your API Gateway configuration, here's an example snippet demonstrating the Cloud Run integration portion:

YAML
gateways:
- gateway_name: your-api-gateway
configs:
- api_config_id: your-api-config
x-google-backend:
address: https://SERVICE_NAME-pc1234abcd-uc.a.run.app # Replace with your Cloud Run service URL
connection:
name: projects/YOUR_PROJECT/locations/YOUR_REGION/connectors/YOUR_CONNECTOR
Use code with caution.
Remember:

Secure your API Gateway with appropriate authentication and authorization mechanisms.
For detailed instructions and additional considerations, refer to the Google Cloud documentation:
API Gateway: https://cloud.google.com/api-gateway/docs
Serverless VPC Access: https://cloud.google.com/vpc/docs/configure-serverless-vpc-access

alex93p

Thank you for your reply!

I'll test your solution in the next few days

Marvin_Lucero

- correction

Sorry for the confusion. The Serverless Access connector is used to enable Cloud Run services to access resources within a VPC network, not the other way around.

alex93p

Hello Marvin,

I've posted a reply with the problem for the solution that is in the previous message. Can you help me please?

Thank you very much!

alex93p

So there is not a way to route traffic from api gateway to the cloud run through the vpc?

alex93p

Hello, I'm finally trying to deploy my api gateway with this feature.

I've some problems with the api config. The error that it's showing me is this:

$ gcloud api-gateway api-configs create ...

ERROR: (gcloud.api-gateway.api-configs.create) INVALID_ARGUMENT: Cannot convert to service config.
'location: "test.skaffold-api-gateway_0.0.swagger2.json: x-google-backend"
kind: ERROR
message: "Extension x-google-backend cannot be converted into proto type google.api.BackendRule. Details: Cannot find field: connection in message google.api.BackendRule"

My api config for api gateway is configured like that:

"paths": {
  "/hc": {
    "get": {
      "operationId": "skaffold-api_HealthzController_healthz",
      "summary": "Health check",
      "parameters": [
        {
          "name": "X-Request-ID",
          "in": "header",
          "description": "Optional ID for tracing and issue reporting",
          "required": false,
          "format": "uuid",
          "type": "string"
        }
      ],
      "responses": {
        "200": {
          "description": "",
          "headers": {
            "X-Response-ID": {
              "description": "Response ID for tracing and issue reporting",
              "type": "string",
              "format": "uuid"
            }
          },
          "schema": {
            "$ref": "#/definitions/DataHcRes"
          }
        }
      },
      "tags": [
        "Health check"
      ],
      "produces": [
        "application/json"
      ],
      "x-google-backend": {
        "address": "address to my cloud run",
        "path_translation": "APPEND_PATH_TO_ADDRESS",
        "protocol": "h2",
        "deadline": 120,
        "jwt_audience": "address to my cloud run",
        "connection": {
          "name": "projects/my-project/locations/my-region/connectors/my-connector"
        }
      }
    }
  }
},

Seems that it's not possible to pass "connection" property into "x-google-backend" object.

Everything in the project is already configured like cloud run and vpc connector.

ehouston

Did you happen to get this working? If so, how did you get the api gateway to talk over the VPC to your cloud run service? I'm trying to do the same thing and wondering if I need to setup an internal load balancer, etc to get it to work.

Best,

Eddie