0

I would like to deny direct access to Cloudfunctions with their default URL as:

https://europe-west1-helloworld.cloudfunctions.net/function-name

And only allow access via GCP Load balancer

I would expect creating some kind of service-account which would be used by Loadbalancer when accessing the Functions/Run containers, but it is not possible to assign any.

My current state is:

  1. When I assign allUsers in Cloud Functions's permissions, I can access it both directly and via LB.
  2. When I remove the allUsers, I cannot access them neither directly, neither via LB.
Improve this question

1 Answer 1

Reset to default
1

You can achieve this by deploying, or editing your cloud functions and configure the "connection" section. Here, set the ingress option to accept only connection coming from internal VPC network (and shared VPC and VPC SC) and Load Balancer.

See picture here.

enter image description here

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

In fact, this is not so easy 😇 As described in cloud.google.com/run/docs/securing/… - there are three types of solutions, which are mentioned only very briefly and I will probably make a new SO question for that: stackoverflow.com/questions/79069934/…
But not so difficult with the network flow in mind. I dropped a comment

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.