问题描述
我将其中一项云功能的连接设置更改为仅允许内部流量" 设置.
I changed the connection setting of one of my cloud functions to 'Allow Internal Traffic Only' setting.
我的nodejs应用程序在与我的云函数相同的项目,相同的区域中运行.我从我的云功能中删除了'allUser'访问,并添加了 [email protected] 作为我的云功能调用者.
I have my nodejs app running in the same project, same region as my cloud function. I removed 'allUser' access from my cloud function and added [email protected] as Invoker of my cloud function.
但是当我从nodejs应用程序调用函数时,现在出现403错误.我该怎么做才能解决此问题?
But I am getting 403 error now when I am calling the function from my nodejs app. What can I do to fix this?
我遵循以下指导:此处
------------------ UPDATE ----------------
非常感谢您在下面的解释.现在已经开始有意义了.因此,到目前为止,我的设置如下:
Many thanks for explanation below. It has started making sense now. So My setup is as follows as of now:
云功能端:
- 我已添加 [email protected] 作为函数调用程序,并删除了"allUsers"作为调用程序.
- 在变量,网络和高级设置下,我单击了仅允许内部流量",然后在出口设置下,添加了先前使用 IP 10.8.0.0创建的连接器.我以以下格式添加了我的连接器:项目/PROJECT_ID/位置/区域/连接器/CONNECTOR_NAME ,并选择了通过VPC连接器路由所有流量
- I have added [email protected] as function invoker and removed 'allUsers' as an invoker.
- Under variables, networking and advanced settings I have clicked on 'Allow internal traffic only' and then under Egress settings I have added the connector which I created earlier with an IP 10.8.0.0. I have added my connector in the format : projects/PROJECT_ID/locations/REGION/connectors/CONNECTOR_NAME and selected Route all traffic through the VPC connector
App Engine(NODE js)端:
App Engine (NODE js) side:
当我公开调用该函数时,我使用的是给定的主机名.现在我的POST请求如下所示:
When I make a call to the function when it was publicly available, I was using the given hostname. Now my POST request looks like the following:
const optionsCFS = {
hostname: "10.8.0.0",//process.env.CLOUD_URL,
port: 443, //(tried 28 as well)
timeout: 5000,
path: process.env.CLOUD_ORDER_SAVE_PATH, // remaining path
method: 'POST',
headers: {
'Content-Type': 'application/application-json',
'Content-Length': CFSdata.length,
//'charset': 'utf-8'
}
}
console.log('Going to call CF ')
const orderReq = https.request(optionsCFS, resCFServer =>
{ // Do something })
我收到错误502-错误的网关.
I get Error 502 - Bad Gateway.
推荐答案
将流量设置为仅内部流量时,您对云功能(或云运行,行为相同)说:
When you set the traffic to internal only, you say to the Cloud Functions (or cloud run, it's the same behavior):
- 嘿,只接受来自VPC的流量.
但是,您不会说:
- 嘿,我的服务只能通过私有IP访问,而不能再通过公共IP访问
区别很重要,因为即使您将Cloud Functions(或Cloud Run)设置为进入模式仅允许内部流量
,该服务仍在Internet上公开,仍可公开访问,但是服务前面的网关(我猜是GFE,我是Google前端)执行另一项检查:您来自VPC吗?"
The difference is important, because even if you set your Cloud Functions (or your Cloud Run) with an ingress mode Allow internal traffic only
, the service is still exposed on the internet, still reachable publicly, but the gateway in front of your service (GFE I guess, Google Front End), perform an additional check: "Do you come from the VPC?"
此检查基于仅存在于内部Google联网中的流量元数据(这也意味着流量保留在Google Cloud主干网中,以保留这些元数据).
This check is based on the traffic metadata only present in the internal Google Network (that's also means that the traffic stay in the Google Cloud backbone, to keep these metadata).
因此,我继续我的解释....当您将无服务器VPC连接器设置为App Engine时,您只能将专用流量路由到符合RFC 1918的VPC连接器.
So, I continue my explanation.... When you set a serverless VPC connector to App Engine, you can only route the private traffic to the VPC connector, compliant with the RFC 1918.
但是,如上所述,云功能和云运行服务可以在Internet上访问,而不是在私有IP(符合RFC 1918)上可以访问.因此,您的App Engine流量不会通过无服务器的VPC连接器,也不会被接受为内部"流量.入口检查期间的流量.
However, as explained, the Cloud Functions, and the Cloud Run, service are reachable on the internet, not on a private IP (compliant with the RFC 1918). And thus, your App Engine traffic don't go through the serverless VPC connector, and can't be accepted as "internal" traffic during the ingress check.
借助Cloud Functions和Cloud Run,您可以将vpc-egress值设置为 private-ranges-only
(类似于App Engine的默认行为,仅路由RFC 1918中的IP范围)或 all
.您需要使用这种最新模式来从Cloud Functions或Cloud Run调用内部唯一服务.
With Cloud Functions and Cloud Run, you can set up the vpc-egress value to private-ranges-only
(similar to the default behavior of App Engine, route only the IPs in the RFC 1918 ranges) or all
. It's this latest mode that you need to use to call a internal only service from Cloud Functions or Cloud Run.
这篇关于Cloud Function返回403响应的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!