Skip to content

Latest commit

 

History

History
149 lines (109 loc) · 7.98 KB

File metadata and controls

149 lines (109 loc) · 7.98 KB

Connecting Cloud Run and Memorystore for Redis FAQ

This document answers frequently asked questions about connecting a Google Cloud Run service to a Memorystore for Redis instance located within a VPC.


Q1: How can I connect to Memorystore for Redis from Cloud Run?

A: Since Cloud Run is a serverless environment and Memorystore for Redis is created with a private IP inside a VPC, they cannot communicate directly. To connect them, you must use a Serverless VPC Access Connector.

The overall process is as follows:

  1. Create a Memorystore for Redis instance: Prepare a Redis instance within a VPC network.
  2. Create a Serverless VPC Access Connector: Create a connector in the same VPC network as Redis. This connector acts as a bridge between Cloud Run and the VPC.
  3. Deploy the Cloud Run service: When deploying or updating the Cloud Run service, configure it to connect to the created VPC connector.
  4. Modify the application code: Implement the application code to connect to Redis using its private IP address and port information, typically passed via environment variables.

Q2: How should the network for Cloud Run be configured to connect to Memorystore for Redis?

A: You need to configure the outbound (Egress) traffic settings of the Cloud Run service to be directed to the VPC network.

  1. Connect the VPC Connector:

    • In the 'Networking' tab of your Cloud Run service settings, connect the VPC connector that you previously created in the same VPC as Memorystore.
    • In the gcloud CLI, use the --vpc-connector flag.
  2. Configure VPC Egress (Traffic Routing) (Recommended):

    • Select the option 'Route only requests to private IPs to the VPC connector' (private-ranges-only).
    • This setting is the most efficient, as it only sends traffic destined for internal IPs (like Memorystore) through the VPC connector, while traffic to the public internet goes out directly.
    • In the gcloud CLI, use the --vpc-egress=private-ranges-only flag.

gcloud command example:

gcloud run deploy [SERVICE_NAME] \
  --image=[IMAGE_URL] \
  --region=[REGION] \
  --vpc-connector=[CONNECTOR_NAME] \
  --vpc-egress=private-ranges-only \
  --set-env-vars REDIS_HOST=[REDIS_IP_ADDRESS],REDIS_PORT=[REDIS_PORT]

Q3: How do I create a Memorystore for Redis (Valkey) instance using the gcloud CLI?

A: You can create a basic Memorystore for Redis instance using the following gcloud command.

gcloud redis instances create my-redis-instance \
    --size=1 \
    --region=us-central1 \
    --tier=BASIC \
    --redis-version=REDIS_7_2 \
    --network=default
  • my-redis-instance: The name of the instance to create.
  • --size: Memory size in GB.
  • --region: The GCP region where the instance will be created.
  • --tier: BASIC (standalone) or STANDARD_HA (high availability).
  • --redis-version: The Redis version.
  • --network: The VPC network to connect to (default: default).

Q4: Is the Memorystore for Redis instance created by the command in Q3 installed in a Private Subnet?

A: Yes, that's correct. Memorystore for Redis is always created with a private IP address within a VPC network. It is not directly exposed to the public internet, which has the same effect as being installed in a secure Private Subnet. Only resources within the same VPC network can access this instance via its internal IP.


Q5: How can I check the information of a Memorystore for Redis instance using the gcloud CLI?

A: You can use the gcloud redis instances describe command to view the detailed information of a specific instance.

Check a specific instance's information:

# Replace [INSTANCE_NAME] and [REGION] with your actual values.
gcloud redis instances describe [INSTANCE_NAME] --region=[REGION]

Running this command will provide all the necessary connection information, including the instance's IP address (host), port (port), and VPC network (authorizedNetwork).

List all instances in a project:

# To see all instances in a specific region, use the --region flag.
gcloud redis instances list --region=[REGION]

Q6: How do I connect a Cloud Run service using the retrieved Memorystore for Redis information?

A: You can connect it through a 3-step process. The key is to configure Cloud Run to access the VPC network, as Redis uses a private IP.

Step 1: Create a Serverless VPC Access Connector Create a connector to link Cloud Run and the VPC network where Redis is located. (Skip this step if you already have one.)

gcloud compute networks vpc-access connectors create redis-connector \
  --network default \
  --region us-central1 \
  --range "10.8.0.0/28"
  • The --network and --region must be set to the same values as your Redis instance.

Step 2: Deploy Cloud Run with the VPC Connector and Environment Variables Use the gcloud run deploy command to attach the VPC connector and inject the Redis connection information as environment variables.

gcloud run deploy [SERVICE_NAME] \
  --image [IMAGE_NAME] \
  --region us-central1 \
  --vpc-connector redis-connector \
  --vpc-egress all-traffic \
  --set-env-vars REDIS_HOST=[REDIS_IP_ADDRESS],REDIS_PORT=[REDIS_PORT]
  • --vpc-egress all-traffic: This setting ensures that all outbound traffic from Cloud Run goes through the VPC, allowing it to access the private IP of Redis.
  • For REDIS_HOST and REDIS_PORT, enter the host and port values you obtained in Q5.

Step 3: Use Environment Variables in Your Application Code Within your code, read the environment variables (REDIS_HOST, REDIS_PORT) to initialize the Redis client.

# Python Example
import os
import redis

redis_host = os.environ.get('REDIS_HOST')
redis_port = int(os.environ.get('REDIS_PORT'))

redis_client = redis.Redis(host=redis_host, port=redis_port)

Q7: Are separate firewall rule settings required to connect to Memorystore for Redis from Cloud Run?

A: No, generally no additional firewall settings are needed.

Google Cloud's default VPC network includes a default firewall rule called default-allow-internal, which permits communication between all resources within the VPC. Since Cloud Run acts like a component inside the VPC via the VPC connector, it can communicate with the Redis instance without any extra rules.

However, if you have modified the default-allow-internal rule or are using a custom VPC that lacks an internal communication rule, you may need to configure firewall rules yourself.