'Serverless VPC connector, Google APIs, traffic routing and best practices

Working for a Findata company, we have strict requirements in terms of compliance to be considered "safe" to work with us.

I took some time reading about Serverless VPC connector specifically and it raised mainly two questions.

Here's an architecture diagram that may help answering question 2.

enter image description here

Question 1

I understand that when creating a Serverless VPC connector, you can connect to any private IP present in the same VPC. For instance, a Cloud Run app that connects to a Cloud SQL instance through it's private IP.

What I am still wondering, is how it works when using Google Cloud APIs. For instance, let's take a Cloud Run app that consumes data from BigQuery.

Knowing that we can configure egress traffic to be routed like so: VPC connector egress routing

If we route all traffic through the VPC connector, from my tests, it will reach BigQuery API only if the subnet associated to the connector activated Private Google Access

Private Google access radio button in subnet page

So here it's going through the VPC for sure. The downside (big?) is that it consumes bandwidth of your connector, right? Also, if the app is scaling up, bandwidth consumption will increase.

My question there is:

To avoid this overhead, does Route only requests to private IPs through the VPC connector option use also the private network? Or does it go to Internet to reach Google APIs?

Question 2

For us, connectors are expensive. We were thinking on how to deploy them (if required, it actually depends on the answer of the question 1)

From what I know, for expensive network setup (like sharing an Cloud Interconnect link), people tends to create a Host Project that manage all the networking and share it using Shared VPC

My question there is:

Is it something to consider as well for Serverless VPC connector? Is it better to create few big ones and share them to multiple serverless service or create a lot of small ones?

google-cloud-platformgoogle-apigoogle-cloud-rungoogle-cloud-networking


Solution 1:[1]

Question 1: Route only requests to private IPs through the VPC connector: Default. Only requests to RFC 1918 and RFC 6598 IP address ranges or internal DNS names are routed to your VPC network. All other requests are routed directly to the internet and there is no charge for data transfer within the region except dedicated interconnect AKA cloud interconnect line which has dedicated 10 gbps to 100 gbps. For high bandwidth interconnects you will get good performance.

For your question 2: You can refer to this document for best VPC practices and consider which would be suitable for you.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Abhijith Chitrapu

Related Questions

Google Maps API not returning some postal codes (French cities)

How to integrate Google Picker with new Google Identity Services JavaScript library

Google's "define: " through an API?

How to access Google calendar in Android

How do I access (read, write) Google Sheets spreadsheets with Python?

How to MODIFY a Google Docs document via API using search-and-replace?

Android 5.0 IllegalArgumentException: Service Intent must be explicit: on com.google.android.location.internal.GoogleLocationManagerService.START

jest unit test mock google oauthClient in nestjs

Svelte how to import

People API - QUOTA_EXCEEDED / FBS quota limit exceeded

Decode integrity token using Google PlayIntegrity API

How to use Google API credentials json on Heroku?

Batch request Google Calendar php API

Batch request Google Calendar php API

Using Python to do basic Google Drive operations without web server authentication