Google Cloud - Egress IP / NAT / Proxy for google cloud functions

Question

I'm building a data ingestion layer for my company where I have a lot of different integration points (rest apis).

Some of the API's require you to connect from a whitelisted IP.

I'd really like to use google cloud functions / pubsub to build the ingestion logic because of it's scalability and reduced cost.

But the problem is that google cloud functions always connect from random ips and there is nothing we can do about that, as is answered in this question: Possible to get static IP address for Google Cloud Functions?

So my question is: Is there a way to proxy / nat cloud functions so that they come from a set of static ips?

Answer 1

This is now possible via configuring network settings for Cloud Functions particularly Egress Settings.

Taken from the Official Docs:

Via Console:

1. Open the Functions Overview page in the Cloud Console
2. Click Create function. Alternatively, click an existing function to go to its details page, and click Edit
3. Expand the advanced settings by clicking Environment variables, networking, timeouts and more.
4. In the Networking section, under Egress settings, select a Serverless VPC Access connector.
5. Select the appropriate egress setting based on how you want to route outbound traffic through the connector.

Via gcloud:

gcloud functions deploy FUNCTION_NAME \
--vpc-connector CONNECTOR_NAME \
--egress-settings EGRESS_SETTINGS \
FLAGS...

where:

FUNCTION_NAME is the name of your function. CONNECTOR_NAME is the name of the Serverless VPC Access connector to use. See the gcloud documentation for more information.

Note: You can omit the --vpc-connector flag if you are updating egress settings on an existing function that already has a connector.

EGRESS_SETTINGS is one of the supported values for egress settings: see gcloud documentation.

FLAGS... refers to other flags you pass to the deploy command.

Select the appropriate egress setting based on how you want to route outbound traffic through the connector.

After this, you only need to

1. Set up Cloud NAT and
2. Specify a static IP address for NAT.

Create a Cloud NAT:

gcloud compute routers nats create nat-config \
    --router=nat-router \
    --auto-allocate-nat-external-ips \
    --nat-all-subnet-ip-ranges \
    --enable-logging

Specify IP addresses:

gcloud compute routers nats create nat-config \
    --router=nat-router \
    --nat-external-ip-pool=ip-address1,ip-address2

Answer 2

As mentioned by @Murtaza Kanchwala it's not possible to Proxy / NAT Cloud Functions so that they would come from a set of static IPs. However as this would be a good feature, I opened a feature request for this to be implemented. For all further updates refer to the request itself, since all the updates will be posted there.