GCP Setup

1. Go to your Cloud Run dashboard in your new GCP project

  • Click "Create service".
    • Select "Continuously deploy new revisions from a source repository".
      • Select "Set up with Cloud Build".
        • Follow the wizard with default settings, selecting Dockerfile as your Build Type (this will need Cloud Build APIs enabled).
    • Back to main service creation wizard. Some suggested settings:
      • CPU is only allocated during request processing
      • "Autoscaling" -- Min: 1; Max: 10
      • "Ingress control" -- All
      • "Authentication" -- Allow unauthenticated invocations
    • Expand the "Container(s), Volumes, Networking, Security" section.
      • Under the "Container(s)" --> "Settings" tab:
        • Choose your container default resources (e.g., 512MiB memory, 1 vCPU).
        • Add a "Health Check" --> "Liveness Check" --> Probe type "HTTP" --> Path "/healthz"
      • Under the "Container(s)" --> "Variables & Secrets" tab:
        • Add environment variables.
    • Click "Create". Your build will fail! We need to enable Cloud Run admin permissions.

2. Go to "Cloud Build" --> "Settings"

  • Under "Service account permissions", set "Cloud Run Admin" to "ENABLED".
    • If you get an "Additional steps may be required" popup, click "Grant access to all service accounts".

3. Go to "Cloud Build" --> "Triggers"

  • Find the trigger connected to your Cloud Run service (it's probably the only one there) and click "RUN".
    • Stick with the default settings in the drawer and click "RUN TRIGGER". It will fail again! We need to enable the IAM API.

4. Go to "APIs & Services" --> "Library"

  • Search for "IAM" and click on "Identity and Access Management (IAM) API"
    • Click "Enable"

5. Go back to "Cloud Build" --> "Triggers" page

  • Click "RUN" again, and then click "RUN TRIGGER" again.
    • It should work. If it doesn't, you may need to:
      • Wait a few minutes for the IAM API to get fully enabled; AND/OR - Debug something in your build.
  • We now have a Cloud Run service, that is connected to a Cloud Build trigger, that is connected to a GitHub repo.

6. Go to "Cloud Run" --> "Services"

  • Click into your service.
    • Confirm the build worked (you should now have a live URL to visit).
      • If you don't, go back to the last step and debug.
  • Now we need to add a load balancer.

7. Go to "APIs & Services" --> "Library"

  • Search for "Compute Engine" and click on "Compute Engine API"
    • Click "Enable". This one can take some time.

8. Go to "Network services" --> "Load balancing"

  • Click "Create Load Balancer"
    • Select "Application Load Balancer (HTTP/S)"
      • Make your load balancer internet-facing.
      • Set the type to "Global external Application Load Balancer"
    • Click "Continue"
  • Now configure the Frontend
    • Settings:
      • Protocol: "HTTPS"
      • IP address:
        • Click "Create IP address" to reserve a static IP address
      • Port: "443"
      • Certificate:
        • Click "Create a new certificate"
          • Under "Create mode", choose "Upload my certificate"
          • Go to Cloudflare.
            • In Cloudflare, under your site, go to "SSL/TLS" --> "Origin Server"
              • Create a new certificate
                • Save the Origin Certificate and Private Key to a safe place (e.g., a password manager)
          • Go back to the GCP Wizard.
            • Paste the Origin Certificate and Private Key from Cloudflare into the corresponding fields in the GCP wizard - Click "CREATE"
      • Check the box for "Enable HTTP to HTTPS redirect"
        • IMPORTANT: This option does not show when editing, only when creating, so don't miss it.
    • Click "DONE"
  • Now configure the Backend
    • Click into the "Backend services & backend buckets" dropdown --> "CREATE A BACKEND SERVICE"
      • Settings:
        • Backend type: "Serverless network endpoint group"
        • Under "Backends" --> "New backend":
          • Click into the "Serverless network endpoint groups" dropdown --> "CREATE A SERVERLESS NETWORK ENDPOINT GROUP"
            • Settings:
              • Set "Region" to the region your Cloud Run service is in
              • Set the "Serverless network endpoint group type" to "Cloud Run"
                • Select your Cloud Run service from the "Service" dropdown
          • Click "CREATE"
        • Leave "Enable Cloud CDN" unchecked. We will use Cloudflare instead.
      • Click "CREATE"
    • Click "OK" back in the "Backend services & backend buckets" dropdown
  • Leave "Routing rules" as default. It might be good to go back and double check that you have HTTP --> HTTPS redirect enabled.
  • If everything looks good, click "CREATE"
  • Once finished, you should see two load balancers, the one you just created, and an HTTP --> HTTPS redirecter that was automatically created for you.
    • Click into the one you just created (not the redirecter).
      • Copy the IP address. We will use this in Cloudflare.
        • Go to Cloudflare --> "DNS" --> "Records"
          • Create an "A" record with a name of "@" that points to the IP address you just copied
            • Turn Cloudflare proxying on!
          • Create a "CNAME" record with a name of "www" that points to "@"
            • Turn Cloudflare proxying on!
  • Give it a minute to propogate.
  • Congrats! You now have a Cloud Run app, behind a GCP load balancer, behind Cloudflare DNS / DDOS protection / CDN.