Google Cloud Functions with VPC Serverless Connector Egress with Cloud NAT 不工作
Google Cloud Functions with VPC Serverless Connector Egress with Cloud NAT not working
这与以下已过时的问题有关
目前 GCP 具有 VPC 无服务器连接器,允许您通过 VPC 连接器路由所有流量并设置 Cloud NAT 以获取静态 IP 地址。
我已按照以下指南 https://cloud.google.com/functions/docs/networking/network-settings#associate-static-ip 使用区域 us-east4,但来自我的云功能的外部请求总是超时。
我不确定这是一个错误还是我遗漏了什么。
编辑:
为确保我已遵循所有步骤,我在可能的情况下使用 gcloud 命令执行了所有步骤。这些命令是从 GCP 的指南中复制的。
- 正在设置项目 ID 以备将来使用
PROJECT_ID=my-test-gcf-vpc-nat
转到控制台并启用计费
设置VPC和测试VM来测试Cloud NAT
gcloud services enable compute.googleapis.com \
--project $PROJECT_ID
gcloud compute networks create custom-network1 \
--subnet-mode custom \
--project $PROJECT_ID
gcloud compute networks subnets create subnet-us-east-192 \
--network custom-network1 \
--region us-east4 \
--range 192.168.1.0/24 \
--project $PROJECT_ID
gcloud compute instances create nat-test-1 \
--image-family debian-9 \
--image-project debian-cloud \
--network custom-network1 \
--subnet subnet-us-east-192 \
--zone us-east4-c \
--no-address \
--project $PROJECT_ID
gcloud compute firewall-rules create allow-ssh \
--network custom-network1 \
--source-ranges 35.235.240.0/20 \
--allow tcp:22 \
--project $PROJECT_ID
使用控制台创建了 IAP SSH 权限
测试网络配置,如果没有 Cloud NAT,虚拟机应该无法访问互联网
gcloud compute ssh nat-test-1 \
--zone us-east4-c \
--command "curl -s ifconfig.io" \
--tunnel-through-iap \
--project $PROJECT_ID
命令以 connection timed out
响应
- 设置云 NAT
gcloud compute routers create nat-router \
--network custom-network1 \
--region us-east4 \
--project $PROJECT_ID
gcloud compute routers nats create nat-config \
--router-region us-east4 \
--router nat-router \
--nat-all-subnet-ip-ranges \
--auto-allocate-nat-external-ips \
--project $PROJECT_ID
- 再次测试网络配置,VM 应该可以通过 Cloud NAT 访问互联网
gcloud compute ssh nat-test-1 \
--zone us-east4-c \
--command "curl -s ifconfig.io" \
--tunnel-through-iap \
--project $PROJECT_ID
命令以 IP 地址响应
- 已创建 VPC 访问连接器
gcloud services enable vpcaccess.googleapis.com \
--project $PROJECT_ID
gcloud compute networks vpc-access connectors create custom-network1-us-east4 \
--network custom-network1 \
--region us-east4 \
--range 10.8.0.0/28 \
--project $PROJECT_ID
gcloud compute networks vpc-access connectors describe custom-network1-us-east4 \
--region us-east4 \
--project $PROJECT_ID
- 为 Google 云函数服务帐户添加了权限
gcloud services enable cloudfunctions.googleapis.com \
--project $PROJECT_ID
PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member=serviceAccount:service-$PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com \
--role=roles/viewer
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member=serviceAccount:service-$PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com \
--role=roles/compute.networkUser
- 有人建议我应该添加额外的防火墙规则和服务帐户权限
# Additional Firewall Rules
gcloud compute firewall-rules create custom-network1-allow-http \
--network custom-network1 \
--source-ranges 0.0.0.0/0 \
--allow tcp:80 \
--project $PROJECT_ID
gcloud compute firewall-rules create custom-network1-allow-https \
--network custom-network1 \
--source-ranges 0.0.0.0/0 \
--allow tcp:443 \
--project $PROJECT_ID
# Additional Permission, actually this service account has an Editor role already.
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member=serviceAccount:$PROJECT_ID@appspot.gserviceaccount.com \
--role=roles/compute.networkUser
- 已部署测试云功能
index.js
const publicIp = require('public-ip')
exports.testVPC = async (req, res) => {
const v4 = await publicIp.v4()
const v6 = await publicIp.v6()
console.log('ip', [v4, v6])
return res.end(JSON.stringify([v4, v6]))
}
exports.testNoVPC = exports.testVPC
# Cloud Function with VPC Connector
gcloud functions deploy testVPC \
--runtime nodejs10 \
--trigger-http \
--vpc-connector custom-network1-us-east4 \
--egress-settings all \
--region us-east4 \
--allow-unauthenticated \
--project $PROJECT_ID
# Cloud Function without VPC Connector
gcloud functions deploy testNoVPC \
--runtime nodejs10 \
--trigger-http \
--region us-east4 \
--allow-unauthenticated \
--project $PROJECT_ID
没有 VPC 连接器的 Cloud Function 响应了 IP 地址
https://us-east4-my-test-gcf-vpc-nat.cloudfunctions.net/testNoVPC
带有 VPC 连接器的 Cloud Function 超时
https://us-east4-my-test-gcf-vpc-nat.cloudfunctions.net/testVPC
Configure a sample Cloud NAT setup with Compute Engine。使用 Compute Engine 测试您的 Cloud NAT 设置是否成功完成。
Configuring Serverless VPC Access。确保在步骤 1 中创建的 custom-network1 上创建 VPC 连接器。
a.Under 网络选择您在第 2 步中创建的连接器和 Route all traffic through the VPC connector。
import requests
import json
from flask import escape
def hello_http(request):
response = requests.get('https://whosebug.com')
print(response.headers)
return 'Accessing Whosebug from cloud function: {}!'.format(response.headers)
Cloud Nat、Vpc Connector 和 Cloud Function 的区域是 us-central1
4.Test查看是否可以上网的功能:
Accessing Whosebug from cloud function: {'Cache-Control': 'private', 'Content-Type': 'text/html; charset=utf-8', 'Content-Encoding': 'gzip', 'X-Frame-Options': 'SAMEORIGIN', 'X-Request-Guid': 'edf3d1f8-7466-4161-8170-ae4d6e615d5c', 'Strict-Transport-Security': 'max-age=15552000', 'Feature-Policy': "microphone 'none'; speaker 'none'", 'Content-Security-Policy': "upgrade-insecure-requests; frame-ancestors 'self' https://stackexchange.com", 'Content-Length': '26391', 'Accept-Ranges': 'bytes', 'Date': 'Sat, 28 Mar 2020 19:03:17 GMT', 'Via': '1.1 varnish', 'Connection': 'keep-alive', 'X-Served-By': 'cache-mdw17354-MDW', 'X-Cache': 'MISS', 'X-Cache-Hits': '0', 'X-Timer': 'S1585422197.002185,VS0,VE37', 'Vary': 'Accept-Encoding,Fastly-SSL', 'X-DNS-Prefetch-Control': 'off', 'Set-Cookie': 'prov=78ecd1a5-54ea-ab1d-6d19-2cf5dc44a86b; domain=.whosebug.com; expires=Fri, 01-Jan-2055 00:00:00 GMT; path=/; HttpOnly'}!
检查是否在无服务器 VPC 访问所使用的同一 VPC 中创建了 cloud nat 路由器。
同时检查 Cloud Function 是否部署在与 Cloud Nat 使用的 Cloud Router 相同的区域。
这与以下已过时的问题有关
目前 GCP 具有 VPC 无服务器连接器,允许您通过 VPC 连接器路由所有流量并设置 Cloud NAT 以获取静态 IP 地址。
我已按照以下指南 https://cloud.google.com/functions/docs/networking/network-settings#associate-static-ip 使用区域 us-east4,但来自我的云功能的外部请求总是超时。
我不确定这是一个错误还是我遗漏了什么。
编辑:
为确保我已遵循所有步骤,我在可能的情况下使用 gcloud 命令执行了所有步骤。这些命令是从 GCP 的指南中复制的。
- 正在设置项目 ID 以备将来使用
PROJECT_ID=my-test-gcf-vpc-nat
转到控制台并启用计费
设置VPC和测试VM来测试Cloud NAT
gcloud services enable compute.googleapis.com \
--project $PROJECT_ID
gcloud compute networks create custom-network1 \
--subnet-mode custom \
--project $PROJECT_ID
gcloud compute networks subnets create subnet-us-east-192 \
--network custom-network1 \
--region us-east4 \
--range 192.168.1.0/24 \
--project $PROJECT_ID
gcloud compute instances create nat-test-1 \
--image-family debian-9 \
--image-project debian-cloud \
--network custom-network1 \
--subnet subnet-us-east-192 \
--zone us-east4-c \
--no-address \
--project $PROJECT_ID
gcloud compute firewall-rules create allow-ssh \
--network custom-network1 \
--source-ranges 35.235.240.0/20 \
--allow tcp:22 \
--project $PROJECT_ID
使用控制台创建了 IAP SSH 权限
测试网络配置,如果没有 Cloud NAT,虚拟机应该无法访问互联网
gcloud compute ssh nat-test-1 \
--zone us-east4-c \
--command "curl -s ifconfig.io" \
--tunnel-through-iap \
--project $PROJECT_ID
命令以 connection timed out
- 设置云 NAT
gcloud compute routers create nat-router \
--network custom-network1 \
--region us-east4 \
--project $PROJECT_ID
gcloud compute routers nats create nat-config \
--router-region us-east4 \
--router nat-router \
--nat-all-subnet-ip-ranges \
--auto-allocate-nat-external-ips \
--project $PROJECT_ID
- 再次测试网络配置,VM 应该可以通过 Cloud NAT 访问互联网
gcloud compute ssh nat-test-1 \
--zone us-east4-c \
--command "curl -s ifconfig.io" \
--tunnel-through-iap \
--project $PROJECT_ID
命令以 IP 地址响应
- 已创建 VPC 访问连接器
gcloud services enable vpcaccess.googleapis.com \
--project $PROJECT_ID
gcloud compute networks vpc-access connectors create custom-network1-us-east4 \
--network custom-network1 \
--region us-east4 \
--range 10.8.0.0/28 \
--project $PROJECT_ID
gcloud compute networks vpc-access connectors describe custom-network1-us-east4 \
--region us-east4 \
--project $PROJECT_ID
- 为 Google 云函数服务帐户添加了权限
gcloud services enable cloudfunctions.googleapis.com \
--project $PROJECT_ID
PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member=serviceAccount:service-$PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com \
--role=roles/viewer
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member=serviceAccount:service-$PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com \
--role=roles/compute.networkUser
- 有人建议我应该添加额外的防火墙规则和服务帐户权限
# Additional Firewall Rules
gcloud compute firewall-rules create custom-network1-allow-http \
--network custom-network1 \
--source-ranges 0.0.0.0/0 \
--allow tcp:80 \
--project $PROJECT_ID
gcloud compute firewall-rules create custom-network1-allow-https \
--network custom-network1 \
--source-ranges 0.0.0.0/0 \
--allow tcp:443 \
--project $PROJECT_ID
# Additional Permission, actually this service account has an Editor role already.
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member=serviceAccount:$PROJECT_ID@appspot.gserviceaccount.com \
--role=roles/compute.networkUser
- 已部署测试云功能
index.js
const publicIp = require('public-ip')
exports.testVPC = async (req, res) => {
const v4 = await publicIp.v4()
const v6 = await publicIp.v6()
console.log('ip', [v4, v6])
return res.end(JSON.stringify([v4, v6]))
}
exports.testNoVPC = exports.testVPC
# Cloud Function with VPC Connector
gcloud functions deploy testVPC \
--runtime nodejs10 \
--trigger-http \
--vpc-connector custom-network1-us-east4 \
--egress-settings all \
--region us-east4 \
--allow-unauthenticated \
--project $PROJECT_ID
# Cloud Function without VPC Connector
gcloud functions deploy testNoVPC \
--runtime nodejs10 \
--trigger-http \
--region us-east4 \
--allow-unauthenticated \
--project $PROJECT_ID
没有 VPC 连接器的 Cloud Function 响应了 IP 地址 https://us-east4-my-test-gcf-vpc-nat.cloudfunctions.net/testNoVPC
带有 VPC 连接器的 Cloud Function 超时 https://us-east4-my-test-gcf-vpc-nat.cloudfunctions.net/testVPC
Configure a sample Cloud NAT setup with Compute Engine。使用 Compute Engine 测试您的 Cloud NAT 设置是否成功完成。
Configuring Serverless VPC Access。确保在步骤 1 中创建的
custom-network1上创建 VPC 连接器。
a.Under 网络选择您在第 2 步中创建的连接器和 Route all traffic through the VPC connector。
import requests
import json
from flask import escape
def hello_http(request):
response = requests.get('https://whosebug.com')
print(response.headers)
return 'Accessing Whosebug from cloud function: {}!'.format(response.headers)
Cloud Nat、Vpc Connector 和 Cloud Function 的区域是 us-central1
4.Test查看是否可以上网的功能:
Accessing Whosebug from cloud function: {'Cache-Control': 'private', 'Content-Type': 'text/html; charset=utf-8', 'Content-Encoding': 'gzip', 'X-Frame-Options': 'SAMEORIGIN', 'X-Request-Guid': 'edf3d1f8-7466-4161-8170-ae4d6e615d5c', 'Strict-Transport-Security': 'max-age=15552000', 'Feature-Policy': "microphone 'none'; speaker 'none'", 'Content-Security-Policy': "upgrade-insecure-requests; frame-ancestors 'self' https://stackexchange.com", 'Content-Length': '26391', 'Accept-Ranges': 'bytes', 'Date': 'Sat, 28 Mar 2020 19:03:17 GMT', 'Via': '1.1 varnish', 'Connection': 'keep-alive', 'X-Served-By': 'cache-mdw17354-MDW', 'X-Cache': 'MISS', 'X-Cache-Hits': '0', 'X-Timer': 'S1585422197.002185,VS0,VE37', 'Vary': 'Accept-Encoding,Fastly-SSL', 'X-DNS-Prefetch-Control': 'off', 'Set-Cookie': 'prov=78ecd1a5-54ea-ab1d-6d19-2cf5dc44a86b; domain=.whosebug.com; expires=Fri, 01-Jan-2055 00:00:00 GMT; path=/; HttpOnly'}!
检查是否在无服务器 VPC 访问所使用的同一 VPC 中创建了 cloud nat 路由器。
同时检查 Cloud Function 是否部署在与 Cloud Nat 使用的 Cloud Router 相同的区域。