Getting 403 when connecting to a Cloud Run service when using a Serverless VPC Connector

Question

I have a service on Cloud Run (Service A) who is trying to call another service on Cloud Run (Service B). Both the services are in us-east1. For Service B, Ingress is set to 'Allow internal traffic only' and Authentication is set to 'Allow unauthenticated invocations.

I created a Serverless VPC Connector in the same region as the services and set the IP address range to 10.8.0.0/28. 

I then connected Service A to the connector mentioned above and set 'Route only requests to private IPs through the VPC connector'.

I seem to be getting a 403 when attempting to hit the service. Has anyone had this issue? If so, how did you solve this problem?

Answer 1

You need to set the egress to All, to route all the traffic to the serverless VPC connector.

Indeed, even if you set the service B to internal egress, the Cloud Run service is still exposed publicly, but an additional check is performed on the requests that come in to validate the traffic origin (comes from your VPC or not).

In your case, in the service A, with the private range only egress, you route only the traffic going to private IP, and it's not the case of the always-publicly-exposed "internal" service B.