Cloud Run accessing Cloud SQL with Serverless VPC Connector

On Mar 18, 2021, there was a great announcement from Google Cloud Platform on Serverless VPC Access General Availability for Shared VPC which allows Cloud Functions, Cloud Run (fully managed) services, and App Engine standard environment apps to access resources in a VPC network using those resources’ private IPs.

We at Evonence were super excited about this feature and used it in one of our recent implementations where a few Cloud Run Services needs to interact with Private Cloud SQL for PostgreSQL (instances with Private IP only) was enabled simply by provisioning Serverless VPC Connector with zero code change.

Prerequisite 

You have an existing containerized Web application that interacts with Cloud SQL or uses this Cloud Run Cloud SQL from Google Cloud Platform Github 

The game starts now...

Make sure you have a GCP Project with Billing enabled and APIs like Compute Engine Serverless VPC Access, Cloud Run, Service Network API, and so on are enabled

1. Create a Serverless VPC Connector as shown below

2. Create a Cloud SQL for PostgreSQL Instance with Private address

3. Create a database named election

4. Create a SQL file say election.sql with the following content

CREATE TABLE IF NOT EXISTS votes

( vote_id SERIAL NOT NULL, time_cast timestamp NOT NULL,

candidate VARCHAR(6) NOT NULL, PRIMARY KEY (vote_id) );

CREATE TABLE IF NOT EXISTS totals

( total_id SERIAL NOT NULL, candidate VARCHAR(6) NOT NULL,

num_votes INT DEFAULT 0, PRIMARY KEY (total_id) );

INSERT INTO totals (candidate, num_votes) VALUES ('TABS', 0);

INSERT INTO totals (candidate, num_votes) VALUES ('SPACES', 0);

5. Create a Standard Region Cloud Storage Bucket like shown below

6. Import  data from Cloud Storage

7. Launch Cloud Shell and clone Serverless-Expeditions GitHub repo using this command git clone https://github.com/GoogleCloudPlatform/serverless-expeditions.git

8. Change directory cd serverless-expeditions/cloud-run-cloud-sql/

9. Run gcloud builds submit -t gcr.io/$DEVSHELL_PROJECT_ID/cloudrun/serverless-app:v1.0 to build and push a container image to Google Container Registry using Cloud Build. Do check out our recent blog on Automate “Cloud Run” Build & Deployment with Approval using “Cloud Build”

10. After successful build go to Google Container Registry and click on container image and click on Deploy to Cloud Run

11. In Cloud Run click on Advanced Settings → Variables & Secrets and add the below variables

12. Then click on Advanced Settings → Connections and select the Serverless VPC Connector provisioned in Step #1

13. Since the application will be accessible publicly enable “Allow unauthenticated invocations”

14. Click on the Cloud Run Service URL

and you will see a page like this and start voting...

Benefits

1. Serverless VPC Access sends internal traffic from your VPC network to your serverless environment only when that traffic is a response to a request that was sent from your serverless environment through the Serverless VPC Access connector.

2. The entire implementation is created without any subnet or firewall rules.

Conclusion

Serverless VPC Access makes it possible for you to connect directly to your Virtual Private Cloud network from serverless environments such as Cloud Run, App Engine, or Cloud Functions. Configuring Serverless VPC Access allows your serverless environment to send requests to your VPC network using internal DNS and internal IP addresses (as defined by RFC 1918 and RFC 6598).