I'd like to add cache to my Django app hosting on Cloud Run.
From Django official docs, we can connect Django to a memory-based cache. Since I'm using Cloud Run, the memory get cleaned.
Memotystore seems good for this purpose, but there's only tutorial for flask and redis.
How could I achieve this?
Or should I just use a database caching?
Connect Redis instance to Cloud Run service using the steps in
documentation.
To connect from Cloud Run (fully managed) to Memorystore you need to
use the mechanism called "Serverless VPC Access" or a "VPC
Connector"
First, you have to create a Serverless VPC Access Connector
and then configure Cloud Run to use this connector
See connecting to a VPC Network for more information.
Alternatives to using this include:
Use Cloud Run for Anthos, where GKE provides the capability to
connect to Memorystore if the cluster is configured for it.
Stay within fully managed Serverless but use a GA version of the
Serverless VPC Access feature by using App Engine with Memorystore.
See this answer to connect to Memorystore from Cloud Run using an SSH
tunnel via GCE.
Related
Is there any C++ library/client to connect with the memcached instance created within Google Cloud Platform?
Is there any example how to configure and use Google Cloud Memcache instance in C++ application?
I found libmemcached, but I havn't found a confirmation, that it is for GCP too and how to configure it for GCP.
My application deployed to our private server and I want to use some service from GCP like Bucket and Secret manager.
Suppose my application deployed in internal server and my applicate use GCP services. Is it possible or we should deploy our app to GCP also. My application is in JSP.
How to do this. Which is best practice for this.
You have more than one option. You can use Cloud VPN, as it securely connects your peer network to your Virtual Private Cloud (VPC) network through an IPsec VPN connection. Follow this GCP’s official documentation to set it up.
Another option is Google Cloud Hybrid Connectivity focused on Cloud Interconnect as it allows you to connect your infrastructure to Google Cloud. Visit the following link for the best practices and the set up guide.
Finally, see the following thread for more reference on your connection requirement.
Quoting https://cloud.google.com/load-balancing/docs/https/setting-up-https-serverless#enabling
While Google Cloud Armor can be configured for backend services with Cloud Run (fully managed), Cloud Functions, and App Engine backends, there are certain limitations associated with this capability, especially with Cloud Run (fully managed) and App Engine. Users who have access to the default URLs assigned to these services by Google Cloud can bypass the load balancer and go directly to the service URLs, circumventing any configured Google Cloud Armor security policies.
What would be the best way to avoid the bypass of Cloud Armor by an attacker targetting the Cloud Run URL (*.run.app)?
Normally I would make Cloud Run only invocable by a service account but Cloud Load Balancer can't use service accounts to call Cloud Run. An alternative is to configure Cloud Load Balancer to use a token in a header and configure the app running in Cloud Run to only accept calls with the correct header/token but I would prefer not to have to do that in the app.
You should restrict the ingress of your service to "Internal and Load Balancing" to disable access from the default domain and only allow traffic to come from Cloud Armor:
gcloud beta run services update SERVICE --ingress internal-and-cloud-load-balancing
Is it possible to use an AWS RDS PostgreSQL database with a Django app hosted on Google App Engine standard (Python 3)?
Currently, any code that tries to connect to the RDS database hangs, but I can connect to the RDS database from my machine.
I would point out that that from the AWS RDS documentation it’s mentioned that you can to allow access to the specific subnet (VPC) with “publicly available” to an IP Range, and you can get the App Engine ranges by performing nslookups as shown here. Please keep into consideration that the IP ranges for the App Engine services change in a regular basis.
If you are not using VPCs then you should give a look to this AWS doc.
I would also suggest testing the connectivity to the GCP resources by using Compute Engine Virtual Machines, this can be performed also by using App Engine Flexible since you are able to ssh into the GCE VM instance.
I have a service which runs on Cloud Run, and a MYSQL, MongoDB databases on Compute Engine. Currently, I'm using public IP for connect between them, I want to use internal IP for improving performance, but i cant find solution for this problem, Please help me some ideas, Thanks.
Now is supported. You can use VPC network connector (Beta):
This feature is in a pre-release state and might change or have
limited support. For more information, see the product launch stages.
This page shows how to use Serverless VPC Access to connect a Cloud
Run (fully managed) service directly to your VPC network, allowing
access to Compute Engine VM instances, Memorystore instances, and any
other resources with an internal IP address.
To use Serverless VPC Access in a Cloud Run (fully managed) service,
you first need to create a Serverless VPC Access connector to handle
communication to your VPC network. After you create the connector, you
set your Cloud Run (fully managed) service configuration to use that
connector.
Here how to create: Creating a Serverless VPC Access connector and here an overview about it: Serverless VPC Access example
According to official documentation Connecting to instances using advanced methods
If you have an isolated instance that doesn't have an external IP
address (such as an instance that is intentionally isolated from
external networks), you can still connect to it by using its internal
IP address on a Google Cloud Virtual Private Cloud (VPC) network
However, if you check the services not yet supported for Cloud Run, you will find:
Virtual Private Cloud Cloud Run (fully managed) cannot connect to VPC
network.
Services not yet supported
You can now do that by running this command upon deployment:
gcloud run deploy SERVICE --image gcr.io/PROJECT_ID/IMAGE --vpc-connector CONNECTOR_NAME
If you already have a Cloud Run deployment, you can update it by running the command:
cloud run services update SERVICE --vpc-connector CONNECTOR_NAME
More information about that here
Connecting from Cloud Run Managed to VPC private addresses is not yet supported.
This feature is in development and is called Serverless VPC Access. You can read more here.
If you have a Compute Engine instance running in the same VPC with a public IP address, you can create an SSH tunnel to connect to private IP addresses through the public instance. This requires creating the tunnel in your own code, which is easy to do.