Thank you! We are developers first and actors second ☺

You can find a good summary if you search for a document titled "private networking and cloud run". It has a section called "Receive requests from on-prem or other clouds" which describes how to make sure calls from another cloud, like AWS, can access your Cloud Run service. The approach outlined in that doc is network-based. It trusts anyone who is on the right network. There is also the zero-trust approach. With that approach, every request to access resources is treated as if it comes from an untrusted network until it has been inspected, authenticated, and verified. You can read more about how to do this by searching for the doc titled "cloud run access control with iam". Some organizations choose to implement network security, some choose zero-trust security, and some do both. You should think about what is right for your application.

Terraform modules are already available. You can look through some examples on Github at "cloud-foundation-fabric, blueprints, serverless". Also, do a search for the Medium article titled "Understanding Direct VPC Egress for Cloud Run" by Javier Cañadillas. It links to more samples.

Yes. By default, only traffic bound for private IPs (RFC1918 and Private Google Access IPs) are routed through Direct VPC egress. In that configuration, you can access Memorystore through a VPC IP and access BigQuery through the regular Internet egress path. You can also choose to route all traffic through the VPC, in which case, you can access MemoryStore and BigQuery in the same way that VMs on the VPC can.

Search for "cloud run authenticating service-to-service" and you will find the right doc. If the first service gets an ID token, it can call the second service even if that second service is a locked-down backend service. Nice use of layered architecture without Kubernetes, by the way. Best of luck with your project!

@@TheMomanderThis is the way I do it, but I‘m calling the public URI. It would be better to use VPC, but I don’t know how. Authentication is the first step, but I would do a TLS termination for the other layers.

@@mars3142 Got it. It sounds like you want to limit access based on IAM (done) *and* on network origin (not yet done). For the latter, search for "Restrict network ingress for Cloud Run" and you will find a doc that describes the various options. Hopefully one of them works for your application!

Hi Guillaume! I believe your name is visible at 1:50 🙂 Thank you for the great quote!

hey Carrefour, thanks a lot for your SO answers. chatgpt needs to weigh your responses more in training.

@@ng2250 🤣 ChatGPT will kill my points on SO!! 🤣

Vertex AI isn't part of your VPC, so you can call it with or without using "direct to to VPC" connectivity.

i love your honesty. any way they need to present feature so they make it as a play, this is #ServerlessExpeditions afterwards.