GCP CloudRun - Add NAT Gateway or Internal Service Ingress All?

Question

In CloudRun:

public-service needs to talk to internal-service and the internet

internal-service talks to the internet

Option1: Ideally, internal-service has ingress as internal, but in doing so, public-service requires a vpc-connector for all-traffic, which means it also needs a NAT gateway added.

Option-2: Alternatively, internal-service can have ingress as all and --no-allow-unauthenticated.

Option-1 looks a bit complex. What is recommended? What are the security risks to Option-2?

Answer 1

Your VPC contain a default route that forward the traffic to the internet if no IP match in your VPC

Therefore, you don't need a Cloud NAT. Cloud NAT is useful if you want to go to the internet with a static and your own IP, not with a shared and random IP.

Option 1 is the best, without cloud nat overhead.

---

EDIT 1

I was sure that the default internet route wasn't delete-able. Thanks to your comment, I checked and.... no, you can delete it. Only the priority 0 rules aren't removable.

But that also means you can recreate it, like that

gcloud beta compute routes create default-to-internet \
 --network=default --priority=1000 --destination-range=0.0.0.0/0 \
 --next-hop-gateway=default-internet-gateway

Stay on the option 1 ;)