5

I'm building a data ingestion layer for my company where I have a lot of different integration points (rest apis).

Some of the API's require you to connect from a whitelisted IP.

I'd really like to use google cloud functions / pubsub to build the ingestion logic because of it's scalability and reduced cost.

But the problem is that google cloud functions always connect from random ips and there is nothing we can do about that, as is answered in this question: Possible to get static IP address for Google Cloud Functions?

So my question is: Is there a way to proxy / nat cloud functions so that they come from a set of static ips?

Leon Radley
  • 7,596
  • 5
  • 35
  • 54
  • 1
    Possible duplicate of [Possible to get static IP address for Google Cloud Functions?](https://stackoverflow.com/questions/38811882/possible-to-get-static-ip-address-for-google-cloud-functions) – Julien Malige Aug 13 '18 at 08:43
  • I know it's not possible to assign static ip's, but I need help with finding a good workaround using google tech. So in my opinion it's still a valid question :) – Leon Radley Aug 13 '18 at 08:44
  • I was also trying to achieve this although it's not supported yet. Upvoting for a good to have feature in GCP Serverless architecture. – Murtaza Kanchwala Aug 13 '18 at 10:28
  • Would Cloud NAT work for this? https://cloud.google.com/nat/docs/overview All egress traffic going through the cloud NAT. – Apothan Nov 19 '18 at 20:40

2 Answers2

5

This is now possible via configuring network settings for Cloud Functions particularly Egress Settings.

Taken from the Official Docs:

Via Console:

  1. Open the Functions Overview page in the Cloud Console
  2. Click Create function. Alternatively, click an existing function to go to its details page, and click Edit
  3. Expand the advanced settings by clicking Environment variables, networking, timeouts and more.
  4. In the Networking section, under Egress settings, select a Serverless VPC Access connector.
  5. Select the appropriate egress setting based on how you want to route outbound traffic through the connector.

Via gcloud:

gcloud functions deploy FUNCTION_NAME \
--vpc-connector CONNECTOR_NAME \
--egress-settings EGRESS_SETTINGS \
FLAGS...

where:

FUNCTION_NAME is the name of your function. CONNECTOR_NAME is the name of the Serverless VPC Access connector to use. See the gcloud documentation for more information.

Note: You can omit the --vpc-connector flag if you are updating egress settings on an existing function that already has a connector.

EGRESS_SETTINGS is one of the supported values for egress settings: see gcloud documentation.

FLAGS... refers to other flags you pass to the deploy command.

Select the appropriate egress setting based on how you want to route outbound traffic through the connector.

After this, you only need to

  1. Set up Cloud NAT and
  2. Specify a static IP address for NAT.

Create a Cloud NAT:

gcloud compute routers nats create nat-config \
    --router=nat-router \
    --auto-allocate-nat-external-ips \
    --nat-all-subnet-ip-ranges \
    --enable-logging

Specify IP addresses:

gcloud compute routers nats create nat-config \
    --router=nat-router \
    --nat-external-ip-pool=ip-address1,ip-address2
chriz
  • 1,826
  • 2
  • 24
  • 28
1

As mentioned by @Murtaza Kanchwala it's not possible to Proxy / NAT Cloud Functions so that they would come from a set of static IPs. However as this would be a good feature, I opened a feature request for this to be implemented. For all further updates refer to the request itself, since all the updates will be posted there.

komarkovich
  • 2,223
  • 10
  • 20