Enabling all outbound network access for Cloud Run for Anthos on Google Cloud

By default all outbound traffic is blocked for the cluster (including access to Google APIs). To enable all outbound network access, for example to connect to Google Cloud services such as Cloud Storage or external APIs, you need to set the correct scope of the proxy IP range by editing the config-network map.

Prerequisites

This assumes that you have set up the gcloud and kubectl command line tools following the setup instructions.

Enabling all outbound network access

The following instructions apply only to cluster versions older than cluster version 1.12.7-gke.17 (for 1.12-based clusters), or older than 1.11.9-gke.13 (for 1.11-based clusters). Older cluster versions require you to enable outbound traffic to all IP addresses on the internet. This allows your applications to connect to potentially untrusted endpoints.

Determining the IP scope of your cluster

To set the correct scope, you need to determine the current IP ranges of your cluster. The scope varies depending on your cluster configuration.

  1. Invoke the command to determine the scope:

    gcloud container clusters describe [CLUSTER_NAME] \
    | grep -e clusterIpv4Cidr -e servicesIpv4Cidr

    Replace [CLUSTER_NAME] with your cluster name. Note that you must supply the cluster name even if you have set it as the default cluster for gcloud. Note also, that if you haven't set your default zone as shown in the prerequisites section, you must also supply the zone parameter after the cluster name: --zone=[ZONE], replacing [ZONE] with your cluster's zone.

  2. Note the IP ranges shown from the above command, similar to this:

    ...
    clusterIpv4Cidr: 10.8.0.0/14
    servicesIpv4Cidr: 10.11.240.0/20
    ...
    

    You must append these IP ranges together to enable all outbound access, as described in the next section.

Setting the IP scope

The istio.sidecar.includeOutboundIPRanges parameter in the config-network ConfigMap specifies the IP ranges that Istio sidecar intercepts. To allow outbound access, replace the default parameter value with the IP ranges of your cluster that you obtained in the previous steps:

  1. Run the following command to edit the config-network map:

    kubectl edit configmap config-network --namespace knative-serving
  2. Use an editor of your choice to change the istio.sidecar.includeOutboundIPRanges parameter value from * to the IP range you obtained in the previous steps. Separate multiple IP entries with a comma. For example:

  # Please edit the object below. Lines beginning with a '#' will be ignored,
  # and an empty file will abort the edit. If an error occurs while saving this file will be
  # reopened with the relevant failures.
  #
  apiVersion: v1
  data:
    istio.sidecar.includeOutboundIPRanges: '10.16.0.0/14,10.19.240.0/20'
  kind: ConfigMap
  metadata:
  ...

When you set the parameter to a valid set of IP address ranges, Istio will no longer intercept traffic that is going to the IP addresses outside the provided ranges, and you don't need to specify any egress rules.

If you omit the istio.sidecar.includeOutboundIPRanges parameter or set it to '', the value of the global.proxy.includeIPRanges parameter provided at Istio deployment time will be used: this value is *.

Note that if an invalid value is used, '' will be used instead.

  1. Save your changes. Note that any change is automatically picked up and used for all deployed revisions.

Troubleshooting outbound networking issues

If you experience trouble making calls outside your cluster, verify that the policy was applied to the pod running your service by checking the metadata on the pod. Verify that the traffic.sidecar.istio.io/includeOutboundIPRanges annotation matches the expected value from the config-map:

  1. Make sure there is a pod running, because pods can scale to zero:

    curl -H "Host: helloworld-go.default.example.com" http://35.203.155. 229

    Replace the host URL and IP address with your own URL and the cluster's IP address. If you don't know how to locate the cluster's IP address, see the instructions in Accessing your deployed service.

  2. Within 5 minutes, invoke this command to get the list of available pods:

    kubectl get pods
  3. From the output of the get pods command, locate the pod associated with your service: it will start with the name of your service.

  4. Use that pod name in the following command to retrieve the metadata and see the labels applied.

    kubectl get pod [POD_NAME] --output yaml

    Replace [POD_NAME] with your pod name. See the pod documentation for more information on pods.

    You should see a result similar to this:

  apiVersion: v1
  kind: Pod
  metadata:
    annotations:
      serving.knative.dev/configurationGeneration: "2"
      sidecar.istio.io/inject: "true"
      ...
      traffic.sidecar.istio.io/includeOutboundIPRanges: 10.16.0.0/14,10.19.240.0/20
  ...

The line starting with traffic.sidecar.istio.io/includeOutboundIPRanges: 10.16.0.0/14,10.19.240.0/20 has the most important information.