I'm currently running two Cloud Run services (static web + web server).
The web server is connected to AlloyDB instance, which is all through a VPC. I have also set up Ingress Control to allow traffic from the vpc.
However, when I do set this Ingress Control, the static web Cloud Run (will just call it client) can't seem to connect to it. A status code of 403 raises and ends up showing just a CORS error (fastapi CORS is set and checked when Ingress Control is not set). The only odd error I've seen so far from Log Explorer is operationalError: SSL SysCall error: eof detected which I can't seem to decipher.
The VPC is a must, since the web server is connected to AlloyDB. (I'm sure there are other ways, but I'd like to follow the current documented method of connecting within the same VPC network).
What could be the issue here?
Try to write a schema of your architecture. On your backend, you require traffic coming from the VPC. I'm also sure you added a serverless VPC connector to control the egress and to be able to reach AlloyDB
Now, think about the frontend. Firstly, if you set ingress = internal, only traffic coming from your VPC will be allowed to access your service. Your client (the brosers) that reach the Cloud Run service are, obviously, not connected to your VPC, therefore it does not work.
But, if you want to make the connection between the frontend and the backend, you could think that you need to control the egress of the frontend to be compliant wiyth the ingress of the backend. I mean: all in the same VPC. Set a serverless VPC connector on the frontend (egress = all) and that's all!!
But not again. Think about your schema: the static frontend is served from Cloud Run, but run on client side. And your client (the browsers) can't use the VPC connector of your Cloud Run services!! Because it's not on Google Cloud, but on their own computer.
Therefore, no much options... You have to let the ingress = all on all your Cloud Run services, else you won't be able to access your services.