I setup a load balancer following these instructions. The network endpoint group points to an AppEngine app and everything runs smooth.
Now, I ported that same AppEngine app to a Cloud Run service. It deploys and works perfectly using the xxxx.run.app URL. Then I updated the network endpoint group to use the Cloud Run instead of AppEngine, and after a few minutes when calling the load balancer I get this error:
404. That’s an error.
The requested URL was not found on this server. That’s all we know.
(and the little broken robot :) )
I don't see logs in the cloud run so it means it doesn't even get to to the cloud run instance. I changed it back to AppEngine and after a couple of minutes works fine.
Is there anything else or different I need to setup for Google Cloud Run?
Thanks!
Try not to use europe-west1 region. I was facing the exact same problem, and got the LB in front of a serverless cloud run NEG working when I switched everything to europe-west4 or us-central1, for example.
I have just experienced the same problem. Wanted to have separate load balancers for two separate serverless services. When both where set up in the same region it did not work. Setting up everything on the load balancer side (neg, be-service) in a separate region it worked as expected.
I did not change regions for the actual service which the be-service points towards.
Try to access your load balancer external ip address with "https" or "http":
For example:
https://33.149.231.37/
http://33.149.231.37/
Related
I have a MERN Stack application hosted on AWS Elastic Beanstalk. I have a static IP address and 2 listeners ( load balancer ) for ports 80 and 443 to make my app work on https only and not http.
So far everything works perfectly fine but I was wondering is there a way I can remove the load balancer but behavior remains the same? It's not a high demand app and I don't want to spend 16$ a month just for a balancer.
I am open to make any changes to the app itself or my AWS configs.
Not sure if I need to provide more information, so please let me know if I missed anything.
Thank you
If you want to remove the load balancer and going to have single instance. You can follow the below documentation from AWS to allow HTTPS in Single instance
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance.html
I know cloud run and appengine are different services.
I need connect via ssh to an appengine or cloud run instance to execute some process manually.
The reason to use one of these services is they charge only when I use it, not 24x7 hours
Some way to do that?
Thanks
Short answer: you can't.
In fact, these services are designed to answer to HTTP request, and only when an HTTP request is processed you pay for the service. If you log into an instance in SSH, will you pay for the HTTP request? If you run a process on the instances, will you pay for the HTTP request?
Of course not. But the cost isn't the main reason. Cloud Run and App Engine can create and destroy instances as they wish, according with the traffic or something else. It's useless to log into an instance and to run a process and few seconds/minutes after the instance is deleted and a new one created, you will lost all what you do.
If you use these services, you must accept that the servers are managed by Google, that you can only deploy a service and use it through HTTP. It's not a traditional VM instance, it's "serverless".
After saying that, if you want to explore the runtime configuration, you can use a HTTP reverse shell. But, at the end, it's not very useful...
Context
I code using codeanywhere, because I had multiple places with desktop computers to work and don't want to load a laptop
Actually I had vps's as enviroments, like my projects are long time, don't need to rebuild or change the enviroment in years
The need:
I run some times per month shell commands like test nodejs scripts, before to move them to serverless (cloud run)
The old-approach:
try to run these scripts on a working enviroment connecting via ssh
The moderm developer way:
use codeanywhere containers as code storage and testing + create a gitlab ci/cd to deploy automatically on google cloud run instances
Our AppEngine app is connecting to a remote service which requires a VPN and also required me to add entries to the hosts file on my local machine in order to connect to their endpoints.
e.g.
10.200.30.150 foo.bar.com
This is working fine when running the app locally, but I can't figure out how to set this up on Google Cloud to work once deployed.
I can't use the IP addresses directly because it errors that the IP is not on the cert's list.
How do I map the host names to the IPs in Google Cloud so that AppEngine can use them?
From the error mentioned in the comment I suspect connecting directly through the IP fails because the certificate doesn't recognize the IP to DNS mapping as valid and therefore the secure connection setup breaks. Based on the requirements of connecting to the API by VPN and tweaking the hosts mapping there are few things you may try.
The simplest approach that may work would be using a Google Compute Engine VM instance, since there you would able to manipulate the etc/hosts file and replicate the local machine setup. This VM could be used either as the main app service or as a proxy from App Engine to the 3rd party API endpoint. To go that route I would suggest taking a look at these two posts which explain how to change the etc/hosts file on GCE (Changing the file once wouldn't work as the VM periodically overrides it, see the posts for cronjob like workaround).
Separately, as your app runs in App Engine flexible environment there is the chance to provide a docker container with the app packaged. It may be possible to set the workaround above in the docker file and have it working in App Engine too.
Problem. I'm looking for an agile way to shoot a docker container (stored on GCR.IO) to a managed service on GCP:
one docker container gcr.io/project/helloworld with private data (say, Cloud SQL backend) - can't face the real world.
a bunch of IPs I want to expose it to: say [ "1.2.3.4" , "2.3.4.0/24" ].
My ideal platform would be Cloud Run, but also GAE works.
I want to develop in agile way (say deploy with 2-3 lines of code), is it possible run my service secretly and yet super easily? We're not talking about a huge production project, we're talking about playing around and writing a POC you want to share securely over the internet to a few friends making sure the rest of the world gets a 403.
What I've tried so far.
The only think that works easily is a GCE vm with docker-friendly OS (like cos) where I can set up firewall rules. This works, but it's a lame docker app on a disposable VM. Machine runs forever and dies at reboot unless I stabilize it on cron/startup. Looks like I'm doing somebody else's job.
Everything else I've tried so far failed:
Cloud Run. Amazing but can't set up firewall rules on it, or Cloud Director, .. seems to work only with IAP which is painful to set up.
GAE. Works with multiple IPs and can't detach public IPs or firewall it. I managed to get the IP filtering within the app but seems a bit risky. I don't [want to] trust my coding skills :)
Cloud Armor. Only supports a HTTPS Load Balancer which I don't have. Nor I have MIGs to point to. I want simplicity.
Traffic Director and need a HTTP L7 balancer. But I have a docker container, on a single pod. Why do I need a LB?
GKE. Actually this seems to work: [1] but it's not fully managed (I need to create cluster, pods, ..)
Is this a product deficiency or am I looking at the wrong products? What's the simplest way to achieve what I want?
[1] how do I add a firewall rule to a gke service?
Please limit your question to one service. Not everyone is an expert on all Google Cloud services. You will have a better chance of a good answer for each service if they are separate questions.
In summary, if you want to use Google Cloud Security Groups to control IP based access you need to use a service that runs on Compute Engine as security groups are part of the VPC feature set. App Engine Standard and Cloud Run do not run within your project's VPC. This leaves you with App Engine Flex, Compute Engine, and Kubernetes.
I would change strategies and use Google Cloud Run managed by authentication. Access is controlled by Google Cloud IAM via OAuth tokens.
Cloud Run Authentication Overview
I have agreed with the John Hanley’s reply and I have up-voted his answer.
Also, I’ve learned that you are looking how to restrict access to your service through GCP.
By setting a firewall rules, You can limit access to your service by limiting the Source IP range as Allowed source, so that only this address will be allowed as source IP.
Please review another thread in Server Fault [1], stating how to “Restrict access to single IP only”.
https://serverfault.com/questions/901364/restrict-access-to-single-ip-only
You can do quite easily with a Serverless NEG for Cloud Run or GAE
If you're doing this in Terraform you can follow this article
The error I'm getting is BETTING_RESTRICTED_LOCATION. But when I run my app locally using London location from VPN I am able to login in perfectly.
Is there a way I can ensure that the app is running from places where betting is legal?
There is another question like this but its very old and doesn't help me.
The IPs of Google Cloud Platform share the same geolocation (US). And it could be possible that your bot doesn't allow connections from this part of the world. If this is the issue, there isn't any available solution within GCP just yet. You can follow this feature request or in the meantime, just point the requests to an on-prem service hosted in London that acts as a proxy.