0

I have a Cloud Run service which I would like to connect to my default VPC network through a Serverless VPC connector. The final goal with this is to allow my Cloud Run instances to access an on-prem server through a separately configured VPN, but my first issue is that I cannot even access a VM on the same network.

I have tried debugging this issue using this vpc-network-tester service, which confirms that I cannot ping my Compute Engine VM.

From my VM, I am able to successfully ping the Cloud Run instances (I've configured and set up some simple firewall logging to find the internal IP of the instances, and the VM is able to reach them).

From everything I have read, it sounds like this would be a firewall issue on the Compute Engine VM or default network side of things, but the only additional firewall rules I have set up are ALLOW rules to let me inspect firewall traffic.

Here is some information on the configuration, but please let me know if there is additional info I can provide.

Serverless VPC access

(I did have my own subnet set up for this originally, but I removed that and just allowed it to manage it on its own with an IP range)

Name Network IP address range Region Instance type
serverless-vpc-connector default 10.1.0.0/28 us-central1 e2-micro

Cloud Run Configuration (for vpc-network-tester)

VPC Connector Route Type
serverless-vpc-connector Route only requests to private IPs through the VPC connector

Ping Response

Source Destination Result
10.1.0.2 (vpc-network-tester) 10.128.0.2 (internal IP of Compute Engine VM) 
PING 10.128.0.2 (10.128.0.2): 56 data bytes

--- 10.128.0.2 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
10.128.0.2 (internal IP of Compute Engine VM) 10.1.0.2 (vpc-network-tester) 
PING 10.1.0.2 (10.1.0.2) 56(84) bytes of data.

--- 10.1.0.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 82ms

Connectivity Test

This is a test of ICMP from Cloud Run to the Compute Engine VM

Conor Strejcek
  • 101
  • 1
  • 1) Do not use ping (ICMP) to test TCP paths. They use different protocols. Use a TCP ping program. 2) If you can connect in one direction but not the reverse, you either have a firewall problem, a routing problem or no service listening for that traffic. The TCP error will indicate the type of problem. – John Hanley Jul 23 '22 at 03:05
  • @JohnHanley For testing ping via TCP, is there a program you recommend (VMs and Cloud Run Instance run Linux)? – Conor Strejcek Jul 25 '22 at 19:05
  • I would Google Search. There are many tools to use. – John Hanley Jul 25 '22 at 19:31

1 Answers1

1

Since I don't have enough reputation to post a comment I'll post it as an answer.

It looks like you already created a Serverless VPC Access connector to connect a Cloud Run service directly to your VPC network.

You can try to create an Ingress firewall rule that allows this subnet 0.0.0.0/0 just to check if this will allow connectivity from Cloud Run instances to the VM.

You can perform another Connectivity Test from Cloud Run to VM. Make sure to change the Protocol to TCP and for the Destination port make sure to specify a specific port. For example, if you want to use port 80 make sure that the service using that port is running. You may check this link about Check running services on Linux

salvinojr
  • 21
  • 2