1

I am trying to reach an on-premise machine (let's call it exovie) from Google Cloud Run via the Serverless VPC Connector.

Simplified network configuration

This is how the network is configured:

  1. The VPC is connected to our on-premise network 172.20.0.0/20 using a Google Cloud VPN exoscale-at-vie-1-tunnel.

Cloud VPN

  1. My application train-graphql is deployed on Cloud Run (fully managed, europe-west6) and is attempting to access the exovie VM via a Serverless VPS Connector euw6-connector (also europe-west6, network: 10.94.0.0/28).

  2. Routes are published to a Cloud Router.

Cloud Router

  1. I also have a services subnetwork 10.172.10.0/24 used by some Google Cloud Compute Engine VMs which hosts a LDAP server (opendldap-server, 10.172.10.2).

  2. There is no special restrictive firewall rules:

Firewall rules

Connectivity tests

  1. I start a SSH session from the openldap-server at 10.172.10.2 to exovie at 172.24.0.20.
  2. My application train-graphql is connected to the openldap-server at 10.172.10.2 via the Serverless VPC Connector euw6-connector without issues.
  3. A connectivity test on port 22 from the first instance of the Serverless VPC Connector euw6-connector at 10.94.0.2 to exovie at 172.24.0.20 is successful.

GraphQL connectivity test

Final thoughts

Since I can SSH from Cloud Run to Compute Engine and from Compute Engine to exovie, a via solution could be to use a Compute ENgine VM as proxy to achieve this connection, but it sounds like a dirty hack.

Mathieu Bour
  • 111
  • 3
  • Did you enable **Route all traffic through the VPC connector** for Cloud Run? – John Hanley Jun 08 '22 at 17:24
  • @JohnHanley yes I did. – Mathieu Bour Jun 09 '22 at 00:28
  • VPC connectors are not transitive. You can go from `A -> B` but not from `A -> B -> C`. Cloud VPN is supported provided that it is configured in `B` routing to `C`. I am not sure what you have configured from your question. A is Cloud Run, B is the VPC, C is on-prem. – John Hanley Jun 09 '22 at 00:37

0 Answers0