Google Cloud Tasks trigger Cloud Function with INTERNAL only ingress

Question

How can I trigger a Cloud Function from Cloud Tasks when that function has its ingress settings set to "allow internal only"?

With that setting, the function rejects the incoming HTTP traffic from Cloud Tasks. This behavior occurs even if Cloud Tasks is in the same project as the function.

• https://cloud.google.com/functions/docs/networking/network-settings#ingress_settings
• https://cloud.google.com/tasks/docs/creating-http-target-tasks

Answer 1

It's funny because I asked Google PMs exactly about that on Tuesday this week! Because today you can't! It's in the radar of the PMs, with not timeline but it will be possible, a day.

My solution today.

If I have a cloud function in internal only mode which is used internally AND externally (or by Google serverless products not compliant with VPC connector, like Cloud Task, Cloud Scheduler, PubSub and Workflows), I create a "proxy function"

• This proxy function is deployed in ingress=all mode and with no-allow-unauthenticated param
• I grant only the service account of the external product on it as cloudfunctions.invoker on the proxy function to be sure that only this service account will be able to call the proxy function
• I create a serverless VPC connector and add it to the proxy function
• The proxy function only call the internal function.

Answer 2

Recently ran into this problem and providing a follow up for any people that are interested.

Two things of note, as mentioned by @guillaumeblaquiere Google PMs are aware of this and based on a recent support ticket I've opened with Google its been mentioned that they've put internal support for Cloud Tasks on their road map so potentially might be supported by EOY (2022). Here's two related issue trackers if anyone's interested and wants to show the need for this sort of feature.

• Issue Tracker 1
• Issue Tracker 2

In regards to the problem at hand, I would not recommend the above proxy function solution, this was also proposed by Google support. It's functionally no different than just making your original Cloud Function ingress settings to allow all traffic. You're just adding another hoop that doesn't provide a private solution.

A solution my team built instead looked like Cloud Tasks -> Pub/Sub -> Cloud Function.
This pattern allows you to keep everything within the VPC since Cloud Functions has a native trigger for Pub/Sub. Cloud Task can then interact with Pub/Sub through its REST API. This pattern can then be further secured by creating a runtime SA for Cloud Task that has the following permissions, can be granted at either the project level or resource depending on security needs:

• Cloud Tasks Enqueuer
• Pub/Sub Publisher
• Cloud Functions Invoker