One of the most complex things in Google Cloud is understanding how the network works, and how services like Cloud Run that are not connected to any customer VPC can talk with components that are using a customer VPC.
To solve this issue there are two possible solutions. The first option is based on a public IP in Cloud SQL and after Cloud Run talks with this public IP. We need to remember that even with a public IP, this doesn’t mean that the connection from Cloud Run to Cloud SQL is leaving the Google network, sounds magical but packages will never leave Google.
The second way to do that is using an internal IP in the cloud SQL and connecting Cloud run to the database using this internal IP. Problem here is that as you know Cloud Run has no user VPC because is considered a serverless component, but, yes, an internal Google Cloud VPC invisible to us. Then to be able to connect the two components we need to create a Serverless VPC Connection via Private IP. It sounds complex but is actuallu simple and today we are going to learn how to do that.
But we are going to learn how to do that in a real environment, not in a fake laboratory. We are going to change a database with a Public IP connected to Cloud Run to use a private IP in our time tracking tool, Claimora.
Let's start. The first thing that we are going to check is our Cloud Run application. As you can see this beautiful tool is deployed ideally and when we go to connections we will see that the Cloud SQL is there and that currently, we don’t have any VPC connector.
Now if we go to our Cloud SQL database we will see that this database is using a public IP to accept inbound connections and that is working in this way.
And the last step is the serverless VPC access that we will use to connect our Cloud Run without user VPC with the Cloud SQL. If we click on create a connector, now we only need to give a name, the region where is located the sub-network that is using Cloud SQL, the VPC that Cloud SQL is using and now we choose a custom IP range, in our case 10.8.0.0/28
Now if we go back to our Cloud SQL and we edit, and then go to connections, click on private IP and choose our VPC, default in our case, unclick on public IP, save and wait more than 20 minutes our database will be now working with a public IP, simple.
If we go back to Cloud Run and click on edit, we only need to go to connections, and in the VPC connector add the VPC connector that we created previously. After we deploy, the next step is to wait for our revision to be deployed in our service.
It's simple. We can open our page, stg.claimora.com, and, magically, everything is working. How beautiful is Claimora!
Today we have learned how to connect a serverless component like Cloud Run with an element with a VPC and to do the magic we need a serverless VPC connector.
Here's the same article in video form for your convenience:
Here's the original article by Pablo Inigo Sanchez on mkdev.me