具有Cloud NAT的VPC无服务器连接器出口的Google Cloud功能不起作用 [英] Google Cloud Functions with VPC Serverless Connector Egress with Cloud NAT not working
问题描述
这与以下已过时的问题有关
This is related to the following questions, which are outdated
- Possible to get static IP address for Google Cloud Functions?
- Google Cloud - Egress IP / NAT / Proxy for google cloud functions
当前GCP拥有VPC无服务器连接器,可让您通过VPC连接器路由所有流量并设置Cloud NAT以获取静态IP地址.
Currently GCP has VPC Serverless Connector that allows you to route all traffic through a VPC Connector and set up Cloud NAT to get static IP addresses.
我已遵循以下指南 https://cloud.google.com/functions/docs/networking/network-settings#associate-static-ip 使用区域us-east4
,但是来自我的云功能的外部请求总是超时.
I have followed the following guide https://cloud.google.com/functions/docs/networking/network-settings#associate-static-ip using the region us-east4
but external requests from my cloud function always timed out.
我不确定这是错误还是我错过了什么.
I'm not sure this is a bug or I have missed something.
为了确保我已遵循所有步骤,在可能的情况下,我使用gcloud
命令执行了所有步骤.这些命令是从GCP的指南中复制的.
To make sure I have followed everything, I did all the steps using gcloud
, command where possible. These commands are copied from the guides from GCP.
- 设置项目ID供以后使用
PROJECT_ID=my-test-gcf-vpc-nat
-
转到控制台并启用计费
Go to Console and enable billing
设置VPC和测试VM以测试Cloud NAT
Set up a VPC and a test VM to test Cloud NAT
gcloud services enable compute.googleapis.com \
--project $PROJECT_ID
gcloud compute networks create custom-network1 \
--subnet-mode custom \
--project $PROJECT_ID
gcloud compute networks subnets create subnet-us-east-192 \
--network custom-network1 \
--region us-east4 \
--range 192.168.1.0/24 \
--project $PROJECT_ID
gcloud compute instances create nat-test-1 \
--image-family debian-9 \
--image-project debian-cloud \
--network custom-network1 \
--subnet subnet-us-east-192 \
--zone us-east4-c \
--no-address \
--project $PROJECT_ID
gcloud compute firewall-rules create allow-ssh \
--network custom-network1 \
--source-ranges 35.235.240.0/20 \
--allow tcp:22 \
--project $PROJECT_ID
-
使用控制台创建的IAP SSH权限
Created IAP SSH permissions using Console
测试网络配置,如果没有Cloud NAT,则VM不能访问Internet
Test network config, the VM should not have internet access without Cloud NAT
gcloud compute ssh nat-test-1 \
--zone us-east4-c \
--command "curl -s ifconfig.io" \
--tunnel-through-iap \
--project $PROJECT_ID
命令以connection timed out
- 设置云NAT
gcloud compute routers create nat-router \
--network custom-network1 \
--region us-east4 \
--project $PROJECT_ID
gcloud compute routers nats create nat-config \
--router-region us-east4 \
--router nat-router \
--nat-all-subnet-ip-ranges \
--auto-allocate-nat-external-ips \
--project $PROJECT_ID
- 再次测试网络配置,VM应该可以通过Cloud NAT进行互联网访问
gcloud compute ssh nat-test-1 \
--zone us-east4-c \
--command "curl -s ifconfig.io" \
--tunnel-through-iap \
--project $PROJECT_ID
命令返回了IP地址
- 创建的VPC访问连接器
gcloud services enable vpcaccess.googleapis.com \
--project $PROJECT_ID
gcloud compute networks vpc-access connectors create custom-network1-us-east4 \
--network custom-network1 \
--region us-east4 \
--range 10.8.0.0/28 \
--project $PROJECT_ID
gcloud compute networks vpc-access connectors describe custom-network1-us-east4 \
--region us-east4 \
--project $PROJECT_ID
- 为Google Cloud Functions服务帐户添加了权限
gcloud services enable cloudfunctions.googleapis.com \
--project $PROJECT_ID
PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member=serviceAccount:service-$PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com \
--role=roles/viewer
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member=serviceAccount:service-$PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com \
--role=roles/compute.networkUser
- 有建议我应该添加其他防火墙规则和服务帐户权限
# Additional Firewall Rules
gcloud compute firewall-rules create custom-network1-allow-http \
--network custom-network1 \
--source-ranges 0.0.0.0/0 \
--allow tcp:80 \
--project $PROJECT_ID
gcloud compute firewall-rules create custom-network1-allow-https \
--network custom-network1 \
--source-ranges 0.0.0.0/0 \
--allow tcp:443 \
--project $PROJECT_ID
# Additional Permission, actually this service account has an Editor role already.
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member=serviceAccount:$PROJECT_ID@appspot.gserviceaccount.com \
--role=roles/compute.networkUser
- 已部署的测试云功能
index.js
const publicIp = require('public-ip')
exports.testVPC = async (req, res) => {
const v4 = await publicIp.v4()
const v6 = await publicIp.v6()
console.log('ip', [v4, v6])
return res.end(JSON.stringify([v4, v6]))
}
exports.testNoVPC = exports.testVPC
# Cloud Function with VPC Connector
gcloud functions deploy testVPC \
--runtime nodejs10 \
--trigger-http \
--vpc-connector custom-network1-us-east4 \
--egress-settings all \
--region us-east4 \
--allow-unauthenticated \
--project $PROJECT_ID
# Cloud Function without VPC Connector
gcloud functions deploy testNoVPC \
--runtime nodejs10 \
--trigger-http \
--region us-east4 \
--allow-unauthenticated \
--project $PROJECT_ID
不带VPC连接器的云功能通过IP地址响应 https://us-east4-my-test-gcf- vpc-nat.cloudfunctions.net/testNoVPC
The Cloud Function without VPC Connector responded with IP address https://us-east4-my-test-gcf-vpc-nat.cloudfunctions.net/testNoVPC
带有VPC连接器的云功能超时 https://us-east4-my-test-gcf- vpc-nat.cloudfunctions.net/testVPC
The Cloud Function with VPC Connector timed out https://us-east4-my-test-gcf-vpc-nat.cloudfunctions.net/testVPC
推荐答案
-
使用Compute Engine配置示例Cloud NAT设置.使用Compute Engine来测试是否成功完成了Cloud NAT的设置.
Configure a sample Cloud NAT setup with Compute Engine. Use the Compute Engine to test if your settings for Cloud NAT were done successfully.
配置无服务器VPC访问.确保在步骤1中创建的custom-network1
上创建VPC连接器.
Configuring Serverless VPC Access. Make sure you create the VPC connector on the custom-network1
made in step 1.
a.在网络连接"下,选择您在步骤2和Route all traffic through the VPC connector
中创建的连接器.
a.Under Networking choose the connector you created on step 2 and Route all traffic through the VPC connector
.
import requests
import json
from flask import escape
def hello_http(request):
response = requests.get('https://stackoverflow.com')
print(response.headers)
return 'Accessing stackoverflow from cloud function: {}!'.format(response.headers)
Cloud Nat,Vpc Connector和Cloud Function的区域为us-central1
The Region for Cloud Nat, Vpc Connector and Cloud Function is us-central1
4.测试该功能以查看是否可以访问互联网:
4.Test the function to see if you have access to internet:
Accessing stackoverflow from cloud function: {'Cache-Control': 'private', 'Content-Type': 'text/html; charset=utf-8', 'Content-Encoding': 'gzip', 'X-Frame-Options': 'SAMEORIGIN', 'X-Request-Guid': 'edf3d1f8-7466-4161-8170-ae4d6e615d5c', 'Strict-Transport-Security': 'max-age=15552000', 'Feature-Policy': "microphone 'none'; speaker 'none'", 'Content-Security-Policy': "upgrade-insecure-requests; frame-ancestors 'self' https://stackexchange.com", 'Content-Length': '26391', 'Accept-Ranges': 'bytes', 'Date': 'Sat, 28 Mar 2020 19:03:17 GMT', 'Via': '1.1 varnish', 'Connection': 'keep-alive', 'X-Served-By': 'cache-mdw17354-MDW', 'X-Cache': 'MISS', 'X-Cache-Hits': '0', 'X-Timer': 'S1585422197.002185,VS0,VE37', 'Vary': 'Accept-Encoding,Fastly-SSL', 'X-DNS-Prefetch-Control': 'off', 'Set-Cookie': 'prov=78ecd1a5-54ea-ab1d-6d19-2cf5dc44a86b; domain=.stackoverflow.com; expires=Fri, 01-Jan-2055 00:00:00 GMT; path=/; HttpOnly'}!
成功,现在您可以指定静态IP NAT地址
这篇关于具有Cloud NAT的VPC无服务器连接器出口的Google Cloud功能不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!