Hello,
I am setting up a development environment in a VPC with all the services deployed by Cloud Run, and I need it to be accessible only through a VPN client installed in my computer. In my previous job we used openVPN to connect but I ignore if there are more suitable alternatives. Which VPN clients can you recommend for this particular case?
Thanks!
None. Cloud VPN does not support client-to-site VPN.
Setup identity aware proxy
Basically the same thing and more secure
Why do you want a vpn from your computer? You want to be the only one to call you Cloud Run Services? If it is the case you can use IAP to protect your services (via a Load Balancer) and assign to you the IAP Web App user.
With App Engine you could use firewall to restrict connection only from your Ip (not possible directly on Cloud Run) .
I see, then what could I do to solve this problem?
To clarify identity aware proxy (iap) is a Google cloud service for remote administration.
It works easiest with https traffic but does support normal tcp /udp traffic to other ports.
Takes a few mins to setup and doesn’t require an end user agent (just a username / password…personally I would add MFA as well)
Because it was the only tool that I knew. Now I am aware about IAP and will go in that direction
If your services are web based, generally speaking, VPN’s are not recommended as they rely on network trust and add a layer of complexity. We wrote a paper about this at Google, and offer it as a service on GCP.
This can be shocking to some folks coming from the VPN world, but when used properly it’s considerably safer than using a VPN for most use cases involving web interfaces. If it makes you feel better, virtually all of Google’s internal systems are exposed via BeyondCorp – no VPN needed 
That is correct but you could use a bastion host for tcp/udp
Interesting, thanks!! I’m very new to the network/architecture world and I am not aware of all the tools that are available. From what I’ve seen on the Google Cloud tutorials, you can establish it to a whole VPC or subnets to control access to it, right?
I’ve also seen that there are headers I can use for HTTP requests to Cloud Run called X-Serverless-Authorization, so I will have to study how it works for when I want to do requests from Postman for testing.
Ok it is a good decision.
Thanks a lot for the info! I’m very new in all of this and wasn’t aware of other alternatives. u/dcbased has mentioned IAP and even though I am still studying how it works it sounds really interesting and might be exactly what I’m looking for
Here is a video that shows how to use IAP and Cloud Run together: https://youtu.be/ayTGOuCaxuc
It’s a useful setup for applications that should only be visible to users on your predefined access list.