Deploying internal services using Cloud Run for Anthos on Google Cloud

This tutorial demonstrates how to expose services deployed to Cloud Run for Anthos on your internal network. This type of configuration allows other resources in your network to communicate with the service using a private, internal (RFC 1918) IP address. Exposing services on an internal network is useful for enterprises that provide internal apps to their staff, and for services that are used by clients that run outside the Cloud Run for Anthos cluster.

Cloud Run for Anthos provides a developer-focused experience for deploying and serving apps and functions running on GKE. By default, Cloud Run for Anthos exposes services outside the cluster by using Istio's ingress gateway. This gateway is a Kubernetes service of type LoadBalancer, which means by default it's exposed on a public IP address using Network Load Balancing.

This tutorial shows you how to expose your Cloud Run for Anthos services on an internal IP address in your VPC network by changing Istio's ingress gateway to use Internal TCP/UDP Load Balancing instead of Network Load Balancing.


  • Create a GKE cluster with Cloud Run enabled.
  • Update the Istio ingress gateway to use Internal TCP/UDP Load Balancing.
  • Test the app by deploying a sample service to Cloud Run for Anthos.


This tutorial uses the following billable components of Google Cloud:

To generate a cost estimate based on your projected usage, use the pricing calculator. New Google Cloud users might be eligible for a free trial.

When you finish this tutorial, you can avoid continued billing by deleting the resources you created. For more information, see Cleaning up.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

  4. In the Cloud Console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Cloud Console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Cloud SDK already installed, including the gcloud command-line tool, and with values already set for your current project. It can take a few seconds for the session to initialize.

  5. You run all commands in this tutorial from Cloud Shell.
  6. In Cloud Shell, enable the Cloud Run for Anthos API, GKE API, and Cloud APIs:
    gcloud services enable \ \ \

Setting up the environment

  • In Cloud Shell, define environment variables and the gcloud tool defaults for the Compute Engine zone and GKE cluster name that you want to use for this tutorial:

    gcloud config set compute/zone $ZONE
    gcloud config set run/cluster $CLUSTER
    gcloud config set run/cluster_location $ZONE

    The examples in this tutorial use us-central1-f as the zone and cloudrun-gke-ilb-tutorialas the cluster name. You can use different values. For more information, see Geography and regions.

Creating a GKE cluster with Cloud Run for Anthos and internal TCP/UDP load balancing enabled

  1. In Cloud Shell, create a GKE cluster with the Cloud Run for Anthos add-on:

    gcloud container clusters create $CLUSTER \
        --addons HorizontalPodAutoscaling,HttpLoadBalancing,CloudRun \
        --enable-ip-alias \
        --enable-stackdriver-kubernetes \
        --cloud-run-config=load-balancer-type=INTERNAL \
        --machine-type n1-standard-2

    After the cluster is created, it might take a few minutes for the private IP address of the cluster ingress to be provisioned.

    You can run the following command to poll your GKE cluster until EXTERNAL-IP contains your private IP address:

    kubectl -n gke-system get svc istio-ingress --watch

    Press Ctrl+C to stop the polling when you see a private IP address in the EXTERNAL-IP field.

Deploy a sample service

  • In Cloud Shell, deploy a service called sample to Cloud Run for Anthos in the default namespace:

    gcloud run deploy sample \
        --image \
        --namespace default \
        --platform gke

Verify internal connectivity

  1. In Cloud Shell, create a Compute Engine virtual machine (VM) in the same zone as the GKE cluster:

    gcloud compute instances create $VM
  2. Store the private IP address of the Istio ingress gateway in an environment variable called EXTERNAL_IP and a file called external-ip.txt:

    export EXTERNAL_IP=$(kubectl -n gke-system get svc istio-ingress \
        -o jsonpath='{.status.loadBalancer.ingress[0].ip}' | tee external-ip.txt)
  3. Copy the file containing the IP address to the VM:

    gcloud compute scp external-ip.txt $VM:~
  4. Connect to the VM using SSH:

    gcloud compute ssh $VM
  5. While in the SSH session, test the sample service:

    curl -s -w'\n' -H $(cat external-ip.txt)

    The output is as follows:

  6. Leave the SSH session:



If you run into problems with this tutorial, review the following documents:

Cleaning up

To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources.

Delete the project

  1. In the Cloud Console, go to the Manage resources page.

    Go to Manage resources

  2. In the project list, select the project that you want to delete, and then click Delete.
  3. In the dialog, type the project ID, and then click Shut down to delete the project.

Delete the individual resources

If you want to keep the Google Cloud project you used in this tutorial, delete the individual resources:

  1. Delete the GKE cluster:

    gcloud container clusters delete $CLUSTER --quiet --async
  2. Delete the Compute Engine instance:

    gcloud compute instances delete $VM --quiet

What's next