Cloud functions static outbound IP address

cloud-functions-static-outbound-ip.md

Cloud functions static outbound IP address

The guide inspired by Static outbound IP address for Cloud Run.

1. Find the name of your VPC network:

gcloud compute networks list

You should see output like the following:

NAME     SUBNET_MODE  BGP_ROUTING_MODE
default  AUTO         REGIONAL

Identify the network you attached to your Serverless VPC Access connector.

2. Create a new Cloud Router to program a NAT gateway:

gcloud compute routers create ROUTER_NAME \
  --network=NETWORK_NAME \
  --region=REGION

In the command above, replace:

• ROUTER_NAME with a name for the Cloud Router resource you want to create.
• NETWORK_NAME with the name of the VPC network you found in step 1.
• REGION with the region in which you want to create a NAT gateway.

3. Reserve a static IP address. A reserved IP address resource retains the underlying IP address when the resource it is associated with is deleted and re-created:

gcloud compute addresses create ORIGIN_IP_NAME --region=REGION

In the command above, replace:

• ORIGIN_IP_NAME with the name you want to assign to the IP address resource.
• REGION with the region that will run the Cloud NAT router. Ideally the same region as your Cloud Functions to minimize latency and network costs.

4. Create a Cloud NAT gateway configuration on this router to route the traffic originating from the VPC network using the static IP address you created:

gcloud compute routers nats create NAT_NAME \
  --router=ROUTER_NAME \
  --region=REGION \
  --nat-all-subnet-ip-ranges \
  --nat-external-ip-pool=ORIGIN_IP_NAME

In the command above, replace:

• NAT_NAME with a name for the Cloud NAT gateway resource you want to create.
• ROUTER_NAME with the name of your Cloud Router.
• REGION with the region in which you want to create a NAT gateway.
• ORIGIN_IP_NAME with the name of the reserved IP address resource you created in the previous step.

5. Create connector using this guide: Creating a connector.

6. Use your connector in functions.

const functions = require('firebase-functions')
const fetch = require('node-fetch')

exports.helloWorld = functions
  .runWith({
    vpcConnector: 'CONNECTOR_NAME',
    vpcConnectorEgressSettings: 'ALL_TRAFFIC'
  })
  .https.onRequest(async (request, response) => {
    try {
      const result = await fetch('https://api.ipify.org?format=json')
      const json = await result.json()
      return response.json(json)
    } catch (e) {
      return response.send('Can not fetch the IP')
    }
  })

In the command above, replace:

• CONNECTOR_NAME with the name of your Serverless VPC Access connector.

Hi,
And how to invoke the function,
just with calling the static ip in the NAT ?

Hi, And how to invoke the function, just with calling the static ip in the NAT ?

Hi, This guide will bind the IP address to the outgoing traffic only. You should invoke your functions as you are usually do, using function HTTP endpoint or event to which they are subscribed.

Hi, And how to invoke the function, just with calling the static ip in the NAT ?

Hi, This guide will bind the IP address to the outgoing traffic only. You should invoke your functions as you are usually do, using function HTTP endpoint or event to which they are subscribed.

Thanks for the quick response,
so entering the static ip doesn't invoke the function?
And adding this ip to the whitelist of my network firewall, will allow invoking the function with its link?

@brokeyourbike
I'm sorry if there's a misunderstanding, but I'm trying to make a cloud function go through a secured network, and this is the solution I found (getting a static IP)

@Ahmed-Elswerky if your intention only to call the third party API behind a firewall, outbound static IP will work for you. But if you want to receive calls from secured network to the cloud function, and you have to whitelist the IP, this solution will not work for you

@brokeyourbike I appreciate the help, but if possible, I need a bit more clarification in telling the type of my function

I'm trying to invoke an http function from a mobile application
which is being used inside a secured network that only allows a preconfigured whitelisted static IP to be used for network communication

@Ahmed-Elswerky For your use case you might explore this tutorial: https://cloud.google.com/load-balancing/docs/https/setting-up-https-serverless . Load balancer can have single static IP, and it will call the function you need. I have not used it by myself, but from the description it can be one of the solutions for you.

@brokeyourbike thank you very much, I will check that

Thanks for the tutorial.
Just a little note for anyone trying this with typescript. Dont use fetch its not working. Use Axios.

import functions from 'firebase-functions'
import axios from 'axios'

exports.helloWorld = functions
.runWith({
vpcConnector: 'CONNECTOR_NAME',
vpcConnectorEgressSettings: 'ALL_TRAFFIC'
})
.https.onRequest(async (request, response) => {
try {
const result = await axios('https://api.ipify.org?format=json')
const json = await result.data
return json
} catch (e) {
return response.send('Can not fetch the IP')
}
})

@brokeyourbike
How we assign static ip in cloud-function ?

@brokeyourbike How we assign static ip in cloud-function ?

Well, this guide should give you a hint, but the general idea is to route the traffic from cloud functions through the NAT, and NAT has a static IP

I have designed a Firebase Cloud Function in Node.js where I am using PhonePe for payment. However, they have stated that they require a static IP address for whitelisting. Can I utilize the above solution and share the static IP with them?