was wondering if someone knows how to block the access from a specific IP Range inside a VPC to a Cloud Run instance connected through an Internal Load Balancer (ILB).
My setup is as follows:
- ILB (Serverless NEG) -> Cloud Run with Internal Ingress
Some examples for what I want to achieve:
- VM 10.10.10.10 -> ILB -> Cloud Run (Is allowed to access).
- VM 10.10.20.10 -> ILB -> Cloud Run (It not allowed to access)
I tried firewall rules but it seems the rule doesn't apply to Cloud Run and the ILB simply bypass it (even try with a Deny all
rule for 0.0.0.0/0
and nothing happends).
Is this possible?, do I need another service to achieve this?
To do this, you must combine VPC firewall rules and Cloud Armor rules.
First, you must create a VPC firewall rule to deny traffic from the specific IP range to the ILB.
Once you have created the VPC firewall rule, you must create a Cloud Armor rule to block traffic from the specific IP range.
VPC firewall rule must be created before the Cloud Armor rule.
If you are using a Cloud Run service with internal ingress, you must also ensure that the Cloud Armor security policy is attached to the Cloud Run service.