I have several Cloud Functions that are all setup and working well, each of type https.onRequest(....
I am trying to figure out the best / easiest way to allow the https.onRequest functions to be called only by specified IP addresses.
Can this be accomplished? I am guessing I need to create a service account with conditions, but I haven't been able to achieve the results I want.
You could use a GCE VM as proxy with a firewall rule to only accept incoming traffic form the IP that you want
The GCE VM could hit to the functions and to avoid that public traffic hit your functions you could apply the internal traffic flag on them.
Or you can move your functions to an App Engine Service, it allows use Firewall rules
Related
Instead of allowing for all, I just want to open the port for the specific IP/URL, How we can do this in Google Cloud Platform?
As it was already discussed at the comment section, you can use Google Cloud Firewall which operates on the Level 3 to create a rule and allow access from the particular IP addresses:
Firewall rules are defined at the network level, and only apply to the network where they are created.
If you require URL filtration on the Level 6/7 you can have a look on the Google Cloud Web Application Firewall - Google Cloud Armor.
Firebase Hosting did not provide enough security, but I love the features of Firebase. So I wrote a firebase function that renders dynamic content. I put it behind a google load balancer to be able to block all traffic except whitelisted IPs.
I hope to write a function that will whitelist the IP into cloud armor after a successful sign in. I hope to whitelist as many IPs as possible (1000+) and I will add a TTL to each IP as each session expires.
My goal is to strictly limit access and prevent a DDoS attack that could potentially bring the function down and accrue charges. A bearer token is not enough for my use case.
So this is a two part question, is it possible to whitelist IPs programmatically? Is there a limit to how many IPs I can whitelist?
Update:
According to https://cloud.google.com/armor/quotas, I can have 200 rules each rule containing 10 IPs, meaning 2000 IPs. So my new question, is this an standard use case for Cloud Armor?
I understand I can get a quota increase, but there are other load balancer services such as Cloudflare with much larger IP whitelist. Although, I would like to stay within Google services.
According to the official documentation and #John Hanley recommendation you should not use IP whitelists filtering for your security model:
Note that using static IP address filtering is not considered a safe
and effective means of protection. Instead, we suggest that you take a defense
in depth approach using OAuth and Certs.
I have several Cloud Functions that are all setup and working well, each of type https.onRequest(....
I am trying to figure out the best / easiest way to allow the https.onRequest functions to be called only by specified IP addresses.
Can this be accomplished? I am guessing I need to create a service account with conditions, but I haven't been able to achieve the results I want.
You could use a GCE VM as proxy with a firewall rule to only accept incoming traffic form the IP that you want
The GCE VM could hit to the functions and to avoid that public traffic hit your functions you could apply the internal traffic flag on them.
Or you can move your functions to an App Engine Service, it allows use Firewall rules
I would like to develop a Google Cloud Function that will subscribe to file changes in a Google Cloud Storage bucket and upload the file to a third party FTP site. This FTP site requires allow-listed IP addresses of clients.
As such, it is possible to get a static IP address for Google Cloud Functions containers?
Update: This feature is now available in GCP https://cloud.google.com/functions/docs/networking/network-settings#associate-static-ip
First of all this is not an unreasonable request, don't get gaslighted. AWS Lambdas already support this feature and have for awhile now. If you're interested in this feature please star this feature request: https://issuetracker.google.com/issues/112629904
Secondly, we arrived at a work-around which I also posted to that issue as well, maybe this will work for you too:
Setup a VPC Connector
Create a Cloud NAT on the VPC
Create a Proxy host which does not have a public IP, so the egress traffic is routed through Cloud NAT
Configure a Cloud Function which uses the VPC Connector, and which is configured to use the Proxy server for all outbound traffic
A caveat to this approach:
We wanted to put the proxy in a Managed Instance Group and behind a GCP Internal LB so that it would dynamically scale, but GCP Support has confirmed this is not possible because the GCP ILB basically allow-lists the subnet, and the Cloud Function CIDR is outside that subnet
I hope this is helpful.
Update: Just the other day, they announced an early-access beta for this exact feature!!
"Cloud Functions PM here. We actually have an early-access preview of this feature if you'd like to test it out.
Please complete this form so we can add you..."
The form can be found in the Issue linked above.
See answer below -- it took a number of years, but this is now supported.
https://cloud.google.com/functions/docs/networking/network-settings#associate-static-ip
For those wanting to associate cloud functions to a static IP address in order to whitelist the IP for an API or something of the sort I recommend checking out this step by step guide which helped me a lot:
https://dev.to/alvardev/gcp-cloud-functions-with-a-static-ip-3fe9 .
I also want to specify that this solution works for Google Cloud Functions and Firebase Functions (as it is based on GCP).
This functionality is now natively part of Google Cloud Functions (see here)
It's a two-step process according to the GCF docs:
Associating function egress with a static IP address In some cases,
you might want traffic originating from your function to be associated
with a static IP address. For example, this is useful if you are
calling an external service that only allows requests from whitelisted
IP addresses.
Route your function's egress through your VPC network. See the
previous section, Routing function egress through your VPC network.
Set up Cloud NAT and specify a static IP address. Follow the guides at
Specify subnet ranges for NAT and Specify IP addresses for NAT to set
up Cloud NAT for the subnet associated with your function's Serverless
VPC Access connector.
Refer to link below:
https://cloud.google.com/functions/docs/networking/network-settings#associate-static-ip
As per Google, the feature has been released check out the whole thread
https://issuetracker.google.com/issues/112629904
It's not possible to assign a static IP for Google Cloud Functions, as it's pretty much orthogonal to the nature of the architecture being 'serverless' i.e. allocate and deallocate servers on demand.
You can, however, leverage a HTTP proxy to achieve a similar effect. Setup a Google Compute Engine instance, assign it a static IP and install a proxy library such as https://www.npmjs.com/package/http-proxy. You can then route all your external API calls etc through this proxy.
However, this probably reduces scale and flexibility, but it might be a workaround.
I would like to develop a Google Cloud Function that will subscribe to file changes in a Google Cloud Storage bucket and upload the file to a third party FTP site. This FTP site requires allow-listed IP addresses of clients.
As such, it is possible to get a static IP address for Google Cloud Functions containers?
Update: This feature is now available in GCP https://cloud.google.com/functions/docs/networking/network-settings#associate-static-ip
First of all this is not an unreasonable request, don't get gaslighted. AWS Lambdas already support this feature and have for awhile now. If you're interested in this feature please star this feature request: https://issuetracker.google.com/issues/112629904
Secondly, we arrived at a work-around which I also posted to that issue as well, maybe this will work for you too:
Setup a VPC Connector
Create a Cloud NAT on the VPC
Create a Proxy host which does not have a public IP, so the egress traffic is routed through Cloud NAT
Configure a Cloud Function which uses the VPC Connector, and which is configured to use the Proxy server for all outbound traffic
A caveat to this approach:
We wanted to put the proxy in a Managed Instance Group and behind a GCP Internal LB so that it would dynamically scale, but GCP Support has confirmed this is not possible because the GCP ILB basically allow-lists the subnet, and the Cloud Function CIDR is outside that subnet
I hope this is helpful.
Update: Just the other day, they announced an early-access beta for this exact feature!!
"Cloud Functions PM here. We actually have an early-access preview of this feature if you'd like to test it out.
Please complete this form so we can add you..."
The form can be found in the Issue linked above.
See answer below -- it took a number of years, but this is now supported.
https://cloud.google.com/functions/docs/networking/network-settings#associate-static-ip
For those wanting to associate cloud functions to a static IP address in order to whitelist the IP for an API or something of the sort I recommend checking out this step by step guide which helped me a lot:
https://dev.to/alvardev/gcp-cloud-functions-with-a-static-ip-3fe9 .
I also want to specify that this solution works for Google Cloud Functions and Firebase Functions (as it is based on GCP).
This functionality is now natively part of Google Cloud Functions (see here)
It's a two-step process according to the GCF docs:
Associating function egress with a static IP address In some cases,
you might want traffic originating from your function to be associated
with a static IP address. For example, this is useful if you are
calling an external service that only allows requests from whitelisted
IP addresses.
Route your function's egress through your VPC network. See the
previous section, Routing function egress through your VPC network.
Set up Cloud NAT and specify a static IP address. Follow the guides at
Specify subnet ranges for NAT and Specify IP addresses for NAT to set
up Cloud NAT for the subnet associated with your function's Serverless
VPC Access connector.
Refer to link below:
https://cloud.google.com/functions/docs/networking/network-settings#associate-static-ip
As per Google, the feature has been released check out the whole thread
https://issuetracker.google.com/issues/112629904
It's not possible to assign a static IP for Google Cloud Functions, as it's pretty much orthogonal to the nature of the architecture being 'serverless' i.e. allocate and deallocate servers on demand.
You can, however, leverage a HTTP proxy to achieve a similar effect. Setup a Google Compute Engine instance, assign it a static IP and install a proxy library such as https://www.npmjs.com/package/http-proxy. You can then route all your external API calls etc through this proxy.
However, this probably reduces scale and flexibility, but it might be a workaround.