Skip to content

Instantly share code, notes, and snippets.

@brokeyourbike
Last active April 21, 2024 00:50
Show Gist options
  • Save brokeyourbike/ee7c5ede900da6f31ced9fe587e0c706 to your computer and use it in GitHub Desktop.
Save brokeyourbike/ee7c5ede900da6f31ced9fe587e0c706 to your computer and use it in GitHub Desktop.
Cloud functions static outbound IP address

Cloud functions static outbound IP address

The guide inspired by Static outbound IP address for Cloud Run.

1. Find the name of your VPC network:

gcloud compute networks list

You should see output like the following:

NAME     SUBNET_MODE  BGP_ROUTING_MODE
default  AUTO         REGIONAL

Identify the network you attached to your Serverless VPC Access connector.

2. Create a new Cloud Router to program a NAT gateway:

gcloud compute routers create ROUTER_NAME \
  --network=NETWORK_NAME \
  --region=REGION

In the command above, replace:

  • ROUTER_NAME with a name for the Cloud Router resource you want to create.
  • NETWORK_NAME with the name of the VPC network you found in step 1.
  • REGION with the region in which you want to create a NAT gateway.

3. Reserve a static IP address. A reserved IP address resource retains the underlying IP address when the resource it is associated with is deleted and re-created:

gcloud compute addresses create ORIGIN_IP_NAME --region=REGION

In the command above, replace:

  • ORIGIN_IP_NAME with the name you want to assign to the IP address resource.
  • REGION with the region that will run the Cloud NAT router. Ideally the same region as your Cloud Functions to minimize latency and network costs.

4. Create a Cloud NAT gateway configuration on this router to route the traffic originating from the VPC network using the static IP address you created:

gcloud compute routers nats create NAT_NAME \
  --router=ROUTER_NAME \
  --region=REGION \
  --nat-all-subnet-ip-ranges \
  --nat-external-ip-pool=ORIGIN_IP_NAME

In the command above, replace:

  • NAT_NAME with a name for the Cloud NAT gateway resource you want to create.
  • ROUTER_NAME with the name of your Cloud Router.
  • REGION with the region in which you want to create a NAT gateway.
  • ORIGIN_IP_NAME with the name of the reserved IP address resource you created in the previous step.

5. Create connector using this guide: Creating a connector.

6. Use your connector in functions.

const functions = require('firebase-functions')
const fetch = require('node-fetch')

exports.helloWorld = functions
  .runWith({
    vpcConnector: 'CONNECTOR_NAME',
    vpcConnectorEgressSettings: 'ALL_TRAFFIC'
  })
  .https.onRequest(async (request, response) => {
    try {
      const result = await fetch('https://api.ipify.org?format=json')
      const json = await result.json()
      return response.json(json)
    } catch (e) {
      return response.send('Can not fetch the IP')
    }
  })

In the command above, replace:

@brokeyourbike
Copy link
Author

Hi, And how to invoke the function, just with calling the static ip in the NAT ?

Hi, This guide will bind the IP address to the outgoing traffic only. You should invoke your functions as you are usually do, using function HTTP endpoint or event to which they are subscribed.

@Ahmed-Elswerky
Copy link

Ahmed-Elswerky commented Nov 8, 2021

Hi, And how to invoke the function, just with calling the static ip in the NAT ?

Hi, This guide will bind the IP address to the outgoing traffic only. You should invoke your functions as you are usually do, using function HTTP endpoint or event to which they are subscribed.

Thanks for the quick response,
so entering the static ip doesn't invoke the function?
And adding this ip to the whitelist of my network firewall, will allow invoking the function with its link?

@Ahmed-Elswerky
Copy link

@brokeyourbike
I'm sorry if there's a misunderstanding, but I'm trying to make a cloud function go through a secured network, and this is the solution I found (getting a static IP)

@brokeyourbike
Copy link
Author

@Ahmed-Elswerky if your intention only to call the third party API behind a firewall, outbound static IP will work for you. But if you want to receive calls from secured network to the cloud function, and you have to whitelist the IP, this solution will not work for you

@Ahmed-Elswerky
Copy link

Ahmed-Elswerky commented Nov 8, 2021

@brokeyourbike I appreciate the help, but if possible, I need a bit more clarification in telling the type of my function

I'm trying to invoke an http function from a mobile application
which is being used inside a secured network that only allows a preconfigured whitelisted static IP to be used for network communication

@brokeyourbike
Copy link
Author

@Ahmed-Elswerky For your use case you might explore this tutorial: https://cloud.google.com/load-balancing/docs/https/setting-up-https-serverless . Load balancer can have single static IP, and it will call the function you need. I have not used it by myself, but from the description it can be one of the solutions for you.

@Ahmed-Elswerky
Copy link

@brokeyourbike thank you very much, I will check that

@Victor-Ross
Copy link

Thanks for the tutorial.
Just a little note for anyone trying this with typescript. Dont use fetch its not working. Use Axios.

import functions from 'firebase-functions'
import axios from 'axios'

exports.helloWorld = functions
.runWith({
vpcConnector: 'CONNECTOR_NAME',
vpcConnectorEgressSettings: 'ALL_TRAFFIC'
})
.https.onRequest(async (request, response) => {
try {
const result = await axios('https://api.ipify.org?format=json')
const json = await result.data
return json
} catch (e) {
return response.send('Can not fetch the IP')
}
})

@abhishekkanojiathinksys

@brokeyourbike
How we assign static ip in cloud-function ?

@brokeyourbike
Copy link
Author

@brokeyourbike How we assign static ip in cloud-function ?

Well, this guide should give you a hint, but the general idea is to route the traffic from cloud functions through the NAT, and NAT has a static IP

@SaimMohanish
Copy link

I have designed a Firebase Cloud Function in Node.js where I am using PhonePe for payment. However, they have stated that they require a static IP address for whitelisting. Can I utilize the above solution and share the static IP with them?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment