17

I'm developing an app using GCP managed Cloud Run and MongoDB Atlas. If I allow connection from anywhere for IP Whitelist of Atlas, Cloud Run perfectly works well with MongoDB Atlas. However, I want to restrict connection only for necessary IPs but I cloud't find outbound IPs of Cloud Run. Any way to know the outbound IPs?

ahmet alp balkan
  • 42,679
  • 38
  • 138
  • 214
daigo
  • 173
  • 1
  • 1
  • 4

4 Answers4

14

Update (October 2020): Cloud Run has now launched VPC egress feature that lets you configure a static IP for outbound requests through Cloud NAT. You can follow this step by step guide in the documentation to configure a static IP to whitelist at MongoDB Atlas.

Until Cloud Run starts supporting Cloud NAT or Serverless VPC Access, unfortunately this is not supported.

As @Steren has mentioned, you can create a SOCKS proxy by running a ssh client that routes the traffic through a GCE VM instance that has a static external IP address.

I have blogged about it here: https://ahmet.im/blog/cloud-run-static-ip/, and you can find step-by-step instructions with a working example at: https://github.com/ahmetb/cloud-run-static-outbound-ip

ahmet alp balkan
  • 42,679
  • 38
  • 138
  • 214
  • 2
    I appreciated everything I found from you. Anything new about Cloud Run supporting Cloud Nat yet? – Yehuda Makarov Feb 21 '20 at 06:07
  • So Serverless VPC access is supported now in beta, but it seems like MongoDB Atlas is an external service. It works for whitelisting a range inside the VPC (like Cloud SQL), but how does it work for external services? – ahong May 27 '20 at 13:03
  • @AhmetB. I find found a range at some point and now need that range again since Google Security Command Center is complaining that I opened up our proxy to 0.0.0.0/0 and just need something a little more constrictive. I can't seem to find that range in the google docs. It was the range of the US data centers basicallly for all google ips. Any idea what that is? I know i finally did find it. – Dean Hiller Sep 02 '20 at 15:59
  • Updated my answer. Cloud Run now supports static egress IP addresses. @YehudaMakarov – ahmet alp balkan Oct 13 '20 at 23:45
  • @AhmetB-Google notes and thank you for letting us know here. All the best. – Yehuda Makarov Nov 11 '20 at 21:52
7

Cloud Run (like all scalable serverless products) does not give you dedicated IP addresses that are known to be the origination of outgoing traffic. See also: Possible to get static IP address for Google Cloud Functions?

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • This IMHO should not be correct. Google must have a POOL of ips it pulls from..and sure, they rotate, but what is the range is very good question. how to whitelist all of google's ips maybe? that is better than whitelisting the entire world at least. – Dean Hiller Jun 10 '20 at 23:09
  • @DeanHiller And why wouldn't the pool of addresses possibly change over time, without warning? – Doug Stevenson Jun 10 '20 at 23:29
  • fair point, but at the same time, there are customers like me where range of what is today would be fine as most orgs like mine monitor for failures and we would just google the new range and fix. That security would be better than completely open to the world to attacks. – Dean Hiller Jun 11 '20 at 03:36
  • @DeanHiller It sounds like Cloud Functions just doesn't meet your requirements. If you need a static IP, there are other services out there that can you what want. – Doug Stevenson Jun 11 '20 at 05:59
  • It works great(cloud run not cloud functions). gmail gives out it's range of ips so there has to be a 'current' range for cloudrun OR for all GCP. either would be better than none for security. I bet the info exists somewhere and I am hoping not just in google. – Dean Hiller Jun 11 '20 at 14:44
  • NOTE: we are in production working right now. It's just for security, we prefer to lock things down tighter so China/Ukraine can't hit our servers...I mean not unless they get some cloud run instances in google BUT many of the attacks come from those countries.....hmmmm, perhaps there is a US range of ips? – Dean Hiller Jun 11 '20 at 14:45
  • Cloud Run now supports static IPs. See my updates answer below. https://stackoverflow.com/a/57190877/54929 – ahmet alp balkan Oct 13 '20 at 23:43
5

Cloud Run services do no get static IPs.

A solution is to send your outbound requests through a proxy that has a static IP.

For example in Python:

import requests
import sys
from flask import Flask
import os

app = Flask(__name__)

@app.route("/")
def hello():

    proxy = os.environ.get('PROXY')
    proxyDict = { 
                "http": proxy,
                "https": proxy
                }
    r = requests.get('http://ifconfig.me/ip', proxies=proxyDict)
    return 'You connected from IP address: ' + r.text

With the PROXY environemnt variable containing the IP or URL of your proxy (see here to set an environment variable )

For this proxy, you can either:

  • create it yourself, for example using a Compute Engine VM with a static public IP address running squid, this likely fits in the Compute Engine free tier.
  • use a service that offers a proxy with static IP, for example https://www.quotaguard.com/static-ip/ that starts at $19/m

I personally used this second solution. The service gives me a URL that includes a username and password, that I then use as a proxy using the code above.

Steren
  • 7,311
  • 3
  • 31
  • 51
1

This feature is now released in beta by the Cloud Run team:

https://cloud.google.com/run/docs/configuring/static-outbound-ip

Søren Hansen
  • 208
  • 1
  • 6