0

We're living behind a corporate proxy/firewall, that can only consume static IP rules and not FQDNs. For our project, we need to access Google Speech To Text API: https://speech.googleapis.com. If outside of corporate network, we use gRPC stream over HTTP/2 to do that.

The ideal scenario looks like:
Corporate network -> static IP in GCP -> forwarded gRPC stream to speech.googleapis.com

What we have tried is creating a global static external IP, but failed when configuring the Load Balancer, as it can only connect to VMs and not APIs.

Alternatively, we were thinking to use output of nslookup speech.googleapis.com IP address ranges and update it daily, though it seems pretty 'dirty'.

I'm aware we can configure a compute engine resource / VM and forward the traffic, but this really doesn't seem like an elegant solution either. Preferably, we can achieve that with existing GCP networking components.

Many thanks for any pointers!

Raynel A.S
  • 457
  • 4
  • 9
flaesh
  • 262
  • 5
  • 17

2 Answers2

0

Google does not publish a CIDR block for you to use. You will have daily grief trying to whitelist IP addresses. Most of Google's API services are fronted by the Global Frontend (GFE). This uses HTTP Host headers to route traffic and not IP addresses, which will cause routing to fail.

Trying to lookup the IP addresses can be an issue. DNS does not have to return all IP addresses for name resolution in every call. This means that a DNS lookup might return one set of addresses now and a different set an hour from how. This is an edge example of grief you will cause yourself with whitelisting IP addresses.

Solution: Talk to your firewall vendor.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • Many thanks for the pointers John. We're indeed engaging with our firewall vendor to see, whether there's some nice update coming up. – flaesh Oct 24 '19 at 07:52
0

Found a solution thanks to clever networking engineers from Google, posting here for future reference:

You can use a CNAME in your internal DNS to point *.googleapis.com to private.googleapis.com. This record in public DNS points to two public IP addresses (199.36.153.8/30) that are not reachable from the public internet but through a VPN tunnel or Cloud interconnect only.

So if setting up a VPN tunnel to a project in GCP is possible (and it should be quite easy, see https://cloud.google.com/vpn/docs/how-to/creating-static-vpns), then this should solve the problem.

flaesh
  • 262
  • 5
  • 17
  • This is a standard feature of VPCs. This is called Private Google Access: https://cloud.google.com/vpc/docs/configure-private-google-access-hybrid – John Hanley Oct 24 '19 at 13:25