具有Cloud NAT的VPC无服务器连接器出口的Google Cloud功能不起作用 [英] Google Cloud Functions with VPC Serverless Connector Egress with Cloud NAT not working

问题描述

这与以下已过时的问题有关

This is related to the following questions, which are outdated

• 可以获取Google Cloud的静态IP地址功能?
• Google云-出口IP/NAT/代理用于Google云功能

• Possible to get static IP address for Google Cloud Functions?
• Google Cloud - Egress IP / NAT / Proxy for google cloud functions

当前GCP拥有VPC无服务器连接器，可让您通过VPC连接器路由所有流量并设置Cloud NAT以获取静态IP地址.

Currently GCP has VPC Serverless Connector that allows you to route all traffic through a VPC Connector and set up Cloud NAT to get static IP addresses.

我已遵循以下指南 https://cloud.google.com/functions/docs/networking/network-settings#associate-static-ip 使用区域us-east4，但是来自我的云功能的外部请求总是超时.

I have followed the following guide https://cloud.google.com/functions/docs/networking/network-settings#associate-static-ip using the region us-east4 but external requests from my cloud function always timed out.

我不确定这是错误还是我错过了什么.

I'm not sure this is a bug or I have missed something.

为了确保我已遵循所有步骤，在可能的情况下，我使用gcloud命令执行了所有步骤.这些命令是从GCP的指南中复制的.

To make sure I have followed everything, I did all the steps using gcloud, command where possible. These commands are copied from the guides from GCP.

1. 设置项目ID供以后使用

PROJECT_ID=my-test-gcf-vpc-nat

1. 转到控制台并启用计费

1. Go to Console and enable billing

设置VPC和测试VM以测试Cloud NAT

Set up a VPC and a test VM to test Cloud NAT

gcloud services enable compute.googleapis.com \
  --project $PROJECT_ID

gcloud compute networks create custom-network1 \
  --subnet-mode custom \
  --project $PROJECT_ID

gcloud compute networks subnets create subnet-us-east-192 \
  --network custom-network1 \
  --region us-east4 \
  --range 192.168.1.0/24 \
  --project $PROJECT_ID

gcloud compute instances create nat-test-1 \
  --image-family debian-9 \
  --image-project debian-cloud \
  --network custom-network1 \
  --subnet subnet-us-east-192 \
  --zone us-east4-c \
  --no-address \
  --project $PROJECT_ID

gcloud compute firewall-rules create allow-ssh \
  --network custom-network1 \
  --source-ranges 35.235.240.0/20 \
  --allow tcp:22 \
  --project $PROJECT_ID

1. 使用控制台创建的IAP SSH权限

1. Created IAP SSH permissions using Console

测试网络配置，如果没有Cloud NAT，则VM不能访问Internet

Test network config, the VM should not have internet access without Cloud NAT

gcloud compute ssh nat-test-1 \
  --zone us-east4-c \
  --command "curl -s ifconfig.io" \
  --tunnel-through-iap \
  --project $PROJECT_ID

命令以connection timed out

1. 设置云NAT

gcloud compute routers create nat-router \
  --network custom-network1 \
  --region us-east4 \
  --project $PROJECT_ID

gcloud compute routers nats create nat-config \
  --router-region us-east4 \
  --router nat-router \
  --nat-all-subnet-ip-ranges \
  --auto-allocate-nat-external-ips \
  --project $PROJECT_ID

1. 再次测试网络配置，VM应该可以通过Cloud NAT进行互联网访问

gcloud compute ssh nat-test-1 \
  --zone us-east4-c \
  --command "curl -s ifconfig.io" \
  --tunnel-through-iap \
  --project $PROJECT_ID

命令返回了IP地址

1. 创建的VPC访问连接器

gcloud services enable vpcaccess.googleapis.com \
  --project $PROJECT_ID

gcloud compute networks vpc-access connectors create custom-network1-us-east4 \
  --network custom-network1 \
  --region us-east4 \
  --range 10.8.0.0/28 \
  --project $PROJECT_ID

gcloud compute networks vpc-access connectors describe custom-network1-us-east4 \
  --region us-east4 \
  --project $PROJECT_ID

1. 为Google Cloud Functions服务帐户添加了权限

gcloud services enable cloudfunctions.googleapis.com \
  --project $PROJECT_ID

PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")

gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member=serviceAccount:service-$PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com \
  --role=roles/viewer

gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member=serviceAccount:service-$PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com \
  --role=roles/compute.networkUser

1. 有建议我应该添加其他防火墙规则和服务帐户权限

# Additional Firewall Rules
gcloud compute firewall-rules create custom-network1-allow-http \
  --network custom-network1 \
  --source-ranges 0.0.0.0/0 \
  --allow tcp:80 \
  --project $PROJECT_ID

gcloud compute firewall-rules create custom-network1-allow-https \
  --network custom-network1 \
  --source-ranges 0.0.0.0/0 \
  --allow tcp:443 \
  --project $PROJECT_ID


# Additional Permission, actually this service account has an Editor role already.
gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member=serviceAccount:$PROJECT_ID@appspot.gserviceaccount.com \
  --role=roles/compute.networkUser

1. 已部署的测试云功能

index.js

const publicIp = require('public-ip')

exports.testVPC = async (req, res) => {
  const v4 = await publicIp.v4()
  const v6 = await publicIp.v6()
  console.log('ip', [v4, v6])
  return res.end(JSON.stringify([v4, v6]))
}
exports.testNoVPC = exports.testVPC

# Cloud Function with VPC Connector
gcloud functions deploy testVPC \
  --runtime nodejs10 \
  --trigger-http \
  --vpc-connector custom-network1-us-east4 \
  --egress-settings all \
  --region us-east4 \
  --allow-unauthenticated \
  --project $PROJECT_ID

# Cloud Function without VPC Connector
gcloud functions deploy testNoVPC \
  --runtime nodejs10 \
  --trigger-http \
  --region us-east4 \
  --allow-unauthenticated \
  --project $PROJECT_ID

不带VPC连接器的云功能通过IP地址响应 https://us-east4-my-test-gcf- vpc-nat.cloudfunctions.net/testNoVPC

The Cloud Function without VPC Connector responded with IP address https://us-east4-my-test-gcf-vpc-nat.cloudfunctions.net/testNoVPC

带有VPC连接器的云功能超时 https://us-east4-my-test-gcf- vpc-nat.cloudfunctions.net/testVPC

The Cloud Function with VPC Connector timed out https://us-east4-my-test-gcf-vpc-nat.cloudfunctions.net/testVPC

推荐答案

1. 使用Compute Engine配置示例Cloud NAT设置.使用Compute Engine来测试是否成功完成了Cloud NAT的设置.

1. Configure a sample Cloud NAT setup with Compute Engine. Use the Compute Engine to test if your settings for Cloud NAT were done successfully.

配置无服务器VPC访问.确保在步骤1中创建的custom-network1上创建VPC连接器.

Configuring Serverless VPC Access. Make sure you create the VPC connector on the custom-network1 made in step 1.

创建Google Cloud函数

a.在网络连接"下，选择您在步骤2和Route all traffic through the VPC connector中创建的连接器.

a.Under Networking choose the connector you created on step 2 and Route all traffic through the VPC connector.

import requests
import json

from flask import escape

def hello_http(request):

    response = requests.get('https://stackoverflow.com')

    print(response.headers)    
    return 'Accessing stackoverflow from cloud function:  {}!'.format(response.headers)

Cloud Nat，Vpc Connector和Cloud Function的区域为us-central1

The Region for Cloud Nat, Vpc Connector and Cloud Function is us-central1

4.测试该功能以查看是否可以访问互联网:

4.Test the function to see if you have access to internet:

Accessing stackoverflow from cloud function:  {'Cache-Control': 'private', 'Content-Type': 'text/html; charset=utf-8', 'Content-Encoding': 'gzip', 'X-Frame-Options': 'SAMEORIGIN', 'X-Request-Guid': 'edf3d1f8-7466-4161-8170-ae4d6e615d5c', 'Strict-Transport-Security': 'max-age=15552000', 'Feature-Policy': "microphone 'none'; speaker 'none'", 'Content-Security-Policy': "upgrade-insecure-requests; frame-ancestors 'self' https://stackexchange.com", 'Content-Length': '26391', 'Accept-Ranges': 'bytes', 'Date': 'Sat, 28 Mar 2020 19:03:17 GMT', 'Via': '1.1 varnish', 'Connection': 'keep-alive', 'X-Served-By': 'cache-mdw17354-MDW', 'X-Cache': 'MISS', 'X-Cache-Hits': '0', 'X-Timer': 'S1585422197.002185,VS0,VE37', 'Vary': 'Accept-Encoding,Fastly-SSL', 'X-DNS-Prefetch-Control': 'off', 'Set-Cookie': 'prov=78ecd1a5-54ea-ab1d-6d19-2cf5dc44a86b; domain=.stackoverflow.com; expires=Fri, 01-Jan-2055 00:00:00 GMT; path=/; HttpOnly'}!

成功，现在您可以指定静态IP NAT地址

这篇关于具有Cloud NAT的VPC无服务器连接器出口的Google Cloud功能不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！