I have a scenario in which some HTTP service is deployed on AWS instance and I want to access this privately in my Google cloud function. What I have tested so far that using a VPN Gateway I can connect both google and AWS compute instance. BUT now I am looking for how it can be possible while using Google functions which are not under any VPC to access the service over VPN gateway.
Is there any way I can assign my google cloud function to the VPC through which I can call AWS service over VPN Gateway?
You can create a serverless VPC Connector in the Google CLoud VPC that you want and add it to your function.
On your function configuration, you can choose to route only the private IP through this connector, or all the requests initiated by the Cloud Functions.
So, if your route are correct, it should work!
Related
I have deployed an API Gateway on GCP. I would like to attach a static IP to the gateway so that I can add the IP to an allowlist of another service, that the API Gateway forwards requests to. The service is a third-party service, that only accepts requests from IPs on their allowlist.
I have set up a load balancer for the API Gateway, which does have a global static IP attached. However, this does solve the egress traffic, I see in the logs that the IP isn't static. Is there a way that I can attach a static IP to the API Gateway for egress, so that I can add a single IP to the other service?
Any help on this would be appreciated!
You can't add egress control on API Gateway. A workaround is to create a proxy Cloud Functions that have a static egress IP. There is an overcost for the Cloud Functions processing and for the serverless VPC connector that you have to use.
Another solution is to host the equivalent of API Gateway yourselves on Cloud Run for example (the open source project is name ESPv2, and I wrote an article on that (before the existence of the managed solution: API Gateway) and to use the similar configuration (serverless VPC connector and Cloud NAT) on the Cloud Run service.
Is it possible to access GCP PaaS (App Engine , Cloud Function, Cloud Run) internally (throught VPC)
I see in this doc : https://cloud.google.com/vpc/docs/configure-serverless-vpc-access
"Serverless VPC Access only allows requests to be initiated by the serverless environment. Requests initiated by a VM must use the external address of your serverless service—see Private Google Access for more information."
But searching for something like "Serverless VPC Access allows in/out requests"
You have 2 ways: in and out
Request TO serverless APP
You can use ingress control with Cloud Functions and Cloud Run services. You can say: I want that only connections from my VPC (or VPC SC perimeter) access to my serverless APP. With App Engine, you have firewall rules but doesn't work with private IP.
Request FROM serverless APP
Here you want to reach private resource exposed only on your VPC with a private IP. And with Cloud Run, Cloud Functions and App Engine, you can plug a serverless VPC connector to achieve this.
EDIT 1
With your appliance firewall deployed on Google Cloud, App Engine isn't the perfect product for this. Indeed, with App Engine you can't control the ingress traffic, and you always accept the traffic from the internet, even if you have a stuff (here your appliance) already on Google Cloud Network with a private IP.
The solution here (to test, depends on the appliance capacity) is to use Cloud NAT and to route all the traffic of the subnet on which the appliance is deployed, and to use a reserved static IP.
Then, on App Engine, you can set a firewall rule to accept only traffic from this reserved static IP.
The latency will increase with all these layers...
Hi I am trying to use AWS cost explorer API's to get billing usage, I tried to find a VPC Endpoint for this but was unable to find one.
Is there a way to create a Custom Endpoint for AWS services ?
(P.S. : Please don't suggest to use a NAT or Internet gateway)
AWS Cost Explorer does not have a VPC endpoint.
You can check supported services for VPC endpoints here:
If you don't want to use NAT nor Internet gateway, you could maybe proxy to the explorer using your own VPC endpoint services. This would require a second VPC with access to the cost explorer.
Alternatively, you could create private API Gateway, with AWS integration to the cost explorer REST API.
I have a problem configuring my AWS API Gateway:
I have an API deployed in an EKS cluster, and it has a public load balancer, so right now, this API is accessible from everywhere. I want to allow access to this API only from AWS API Gateway, so if anyone wants to use the API, it has to be through AWS API Gateway.
The problem is that I don't know how to allow traffic to the API only from API Gateway. I tried using a security group, but AWS API Gateway IP changes all the time. I tried also using an internal load balancer in my Kubernetes deployment, but AWS API Gateway can't reach that loadbalancer!
Thanks in advance with the help!
You can do this by using a Network Load Balancer.
Create an internal network load balancer and have your containers be added to its target group.
Then in API Gateway create a VPCLink to your Network Load Balancer. Then use the VPCLink within your API Gateway setup.
More instructions available here.
You might be able to accomplish this by setting up an API Gateway private integration. This makes it simple to expose your HTTP/HTTPS resources behind an Amazon VPC for access by clients outside of the VPC.
Also, have a look at Amazon EKS cluster endpoint access control in order to understand how you can enable endpoint private access for your cluster.
I have 1 Lambda Function connected to AWS Oracle RDS. I have exposed lambda to outer world via API Gateway.
How can i access same API Gateway in my EC2 Instance where i have my back-end services running?
[ec2-user#ip-22-22-22-22 dummy]$ ./telnet 10apexecute2.execute-api.eu-west-1.amazonaws.com 443
Trying 55.11.144.98...
Please help
As the account must be restrictive with its outbound communication over internet, the suggested solution would to make use of a VPC endpoint for API Gateway.
Once you create this endpoint, make sure to enable the "Enable Private DNS Name" option to override the DNS resolution for execute-api endpoints to speak to resolve through your VPC endpoint.
More information can be found in this blog post: Introducing Amazon API Gateway Private Endpoints | AWS Compute Blog