Outbound static IP address configuration
This guide describes how to use a static IP address to allow the Cloud Run service to send requests over Cloud NAT.
For outbound static IP address settings,
Please refer to this link.
When developing a system, there are many situations where it is necessary to cooperate with an external system.
Depending on the other system, it may be necessary to add all the source IPs to the White list.
In this case, if you simply scale the Worker, it may be difficult to register all the IPs with the other system because the number of outgoing IPs increases as the number of instances increases.
In such a case, create a VPC network and set up Cloud NAT.
Cloud NAT allows you to communicate from the same fixed IP via a scalable network router when communicating to the outside world.
Creating a VPC network
Make the necessary settings to scale the network, such as VPC network and firewall settings.
$ souls gcloud compute setup_vpc_nat
By this command
- Creating a VPC network
- Creating Firewall TCP rules
- Creating Firewall SSH rules
- Creating a network subnet
- Creating a VPC access connector
- Creating a Router
- Obtaining an External IP
- Creating Cloud NAT
Is done automatically.
Set up a private IP for Cloud SQL
Use the SOULs command to configure your instance of Google Cloud SQL for private IP.
$ souls gcloud sql setup_private_ip
By this command
- Creating a VPC IP address range
- Creating a VPC Peering Connector
- Enable Cloud SQL Private IP
Is done automatically.
Editing .github / worker-*.yml
Add the two options output to the console to Workflow in Github Actions.
.github/workflow/worker.yml
# 中略 #
name: Deploy to Cloud Run
run: |
gcloud run deploy ${{ secrets.APP_NAME }}-mailer \
--service-account=${{ secrets.APP_NAME }}@${{ secrets.GCP_PROJECT_ID }}.iam.gserviceaccount.com \
--image=gcr.io/${{ secrets.GCP_PROJECT_ID }}/${{secrets.APP_NAME}}-mailer \
+ --vpc-connector=souls-app-connector \
+ --vpc-egress=all \
--memory=4Gi \
--region=asia-northeast1 \
--allow-unauthenticated \
--platform=managed \
--quiet \
--concurrency=80 \
--port=8080 \
--set-cloudsql-instances=${{ secrets.GCLOUDSQL_INSTANCE }} \
--set-env-vars="DB_USER=${{ secrets.DB_USER }}" \
--set-env-vars="DB_PW=${{ secrets.DB_PW }}" \
--set-env-vars="DB_HOST=${{ secrets.DB_HOST }}" \
--set-env-vars="TZ=${{ secrets.TZ }}" \
--set-env-vars="SLACK=${{ secrets.SLACK }}" \
--set-env-vars="SECRET_KEY_BASE=${{ secrets.SECRET_KEY_BASE }}" \
--set-env-vars="PROJECT_ID=${{ secrets.GCP_PROJECT_ID }}"
Editing .github / api.yml
Also connect to the VPC Connector in the API api.yml
--vpc-connector=souls-app-connector
Add only one line of.
.github/workflow/api.yml
# 中略 #
name: Deploy to Cloud Run
run: |
gcloud run deploy ${{ secrets.APP_NAME }}-mailer \
--service-account=${{ secrets.APP_NAME }}@${{ secrets.GCP_PROJECT_ID }}.iam.gserviceaccount.com \
--image=gcr.io/${{ secrets.GCP_PROJECT_ID }}/${{secrets.APP_NAME}}-mailer \
+ --vpc-connector=souls-app-connector \
--memory=4Gi \
--region=asia-northeast1 \
--allow-unauthenticated \
--platform=managed \
--quiet \
--concurrency=80 \
--port=8080 \
--set-cloudsql-instances=${{ secrets.GCLOUDSQL_INSTANCE }} \
--set-env-vars="DB_USER=${{ secrets.DB_USER }}" \
--set-env-vars="DB_PW=${{ secrets.DB_PW }}" \
--set-env-vars="DB_HOST=${{ secrets.DB_HOST }}" \
--set-env-vars="TZ=${{ secrets.TZ }}" \
--set-env-vars="SLACK=${{ secrets.SLACK }}" \
--set-env-vars="SECRET_KEY_BASE=${{ secrets.SECRET_KEY_BASE }}" \
--set-env-vars="PROJECT_ID=${{ secrets.GCP_PROJECT_ID }}"
GitHub Actions Secret key update
Since I created a Private IP for Google Cloud SQL, I used the PRIVATE_ADDRESS I got earlier.
Overwrite DB_HOST on GitHub.
PRIVATE_ADDRESS can be displayed with the following command.
$ souls gcloud sql list
NAME DATABASE_VERSION LOCATION TIER PRIMARY_ADDRESS PRIVATE_ADDRESS STATUS
souls-app-db POSTGRES_13 asia-northeast1-b db-custom-2-7680 31.142.0.103 10.18.0.2 RUNNABLE
Set PRIVATE_ADDRESS DB_HOST on GitHub Secret.
Deploy
$ git add .
$ git commit -m "add cloud nat"
$ git push origin main