GCP Setup

1. Go to your Cloud Run dashboard in your new GCP project

• Click "Create service".
  • Select "Continuously deploy new revisions from a source repository".
    • Select "Set up with Cloud Build".
      • Follow the wizard with default settings, selecting Dockerfile as your Build Type (this will need Cloud Build APIs enabled).
  • Back to main service creation wizard. Some suggested settings:
    • CPU is only allocated during request processing
    • "Autoscaling" -- Min: 1; Max: 10
    • "Ingress control" -- All
    • "Authentication" -- Allow unauthenticated invocations
  • Expand the "Container(s), Volumes, Networking, Security" section.
    • Under the "Container(s)" --> "Settings" tab:
      • Choose your container default resources (e.g., 512MiB memory, 1 vCPU).
      • Add a "Health Check" --> "Liveness Check" --> Probe type "HTTP" --> Path "/healthz"
    • Under the "Container(s)" --> "Variables & Secrets" tab:
      • Add environment variables.
  • Click "Create". Your build will fail! We need to enable Cloud Run admin permissions.

2. Go to "Cloud Build" --> "Settings"

• Under "Service account permissions", set "Cloud Run Admin" to "ENABLED".
  • If you get an "Additional steps may be required" popup, click "Grant access to all service accounts".

3. Go to "Cloud Build" --> "Triggers"

• Find the trigger connected to your Cloud Run service (it's probably the only one there) and click "RUN".
  • Stick with the default settings in the drawer and click "RUN TRIGGER". It will fail again! We need to enable the IAM API.

4. Go to "APIs & Services" --> "Library"

• Search for "IAM" and click on "Identity and Access Management (IAM) API"
  • Click "Enable"

5. Go back to "Cloud Build" --> "Triggers" page

• Click "RUN" again, and then click "RUN TRIGGER" again.
  • It should work. If it doesn't, you may need to:
    • Wait a few minutes for the IAM API to get fully enabled; AND/OR - Debug something in your build.
• We now have a Cloud Run service, that is connected to a Cloud Build trigger, that is connected to a GitHub repo.

6. Go to "Cloud Run" --> "Services"

• Click into your service.
  • Confirm the build worked (you should now have a live URL to visit).
    • If you don't, go back to the last step and debug.
• Now we need to add a load balancer.

7. Go to "APIs & Services" --> "Library"

• Search for "Compute Engine" and click on "Compute Engine API"
  • Click "Enable". This one can take some time.

8. Go to "Network services" --> "Load balancing"

• Click "Create Load Balancer"
  • Select "Application Load Balancer (HTTP/S)"
    • Make your load balancer internet-facing.
    • Set the type to "Global external Application Load Balancer"
  • Click "Continue"
• Now configure the Frontend
  • Settings:
    • Protocol: "HTTPS"
    • IP address:
      • Click "Create IP address" to reserve a static IP address
    • Port: "443"
    • Certificate:
      • Click "Create a new certificate"
        • Under "Create mode", choose "Upload my certificate"
        • Go to Cloudflare.
          • In Cloudflare, under your site, go to "SSL/TLS" --> "Origin Server"
            • Create a new certificate
              • Save the Origin Certificate and Private Key to a safe place (e.g., a password manager)
        • Go back to the GCP Wizard.
          • Paste the Origin Certificate and Private Key from Cloudflare into the corresponding fields in the GCP wizard - Click "CREATE"
    • Check the box for "Enable HTTP to HTTPS redirect"
      • IMPORTANT: This option does not show when editing, only when creating, so don't miss it.
  • Click "DONE"
• Now configure the Backend
  • Click into the "Backend services & backend buckets" dropdown --> "CREATE A BACKEND SERVICE"
    • Settings:
      • Backend type: "Serverless network endpoint group"
      • Under "Backends" --> "New backend":
        • Click into the "Serverless network endpoint groups" dropdown --> "CREATE A SERVERLESS NETWORK ENDPOINT GROUP"
          • Settings:
            • Set "Region" to the region your Cloud Run service is in
            • Set the "Serverless network endpoint group type" to "Cloud Run"
              • Select your Cloud Run service from the "Service" dropdown
        • Click "CREATE"
      • Leave "Enable Cloud CDN" unchecked. We will use Cloudflare instead.
    • Click "CREATE"
  • Click "OK" back in the "Backend services & backend buckets" dropdown
• Leave "Routing rules" as default. It might be good to go back and double check that you have HTTP --> HTTPS redirect enabled.
• If everything looks good, click "CREATE"
• Once finished, you should see two load balancers, the one you just created, and an HTTP --> HTTPS redirecter that was automatically created for you.
  • Click into the one you just created (not the redirecter).
    • Copy the IP address. We will use this in Cloudflare.
      • Go to Cloudflare --> "DNS" --> "Records"
        • Create an "A" record with a name of "@" that points to the IP address you just copied
          • Turn Cloudflare proxying on!
        • Create a "CNAME" record with a name of "www" that points to "@"
          • Turn Cloudflare proxying on!
• Give it a minute to propogate.
  • Check that all four versions of your domain name ultimately result at "https://example.com"
    • http://example.com
    • https://example.com
    • http://www.example.com
    • https://www.example.com
  • Check that Cloudflare proxying is working by looking for the "Cf-Cache-Status" header in the response.
  • Also double check that you have "SSL/TLS" encryption mode set to "Full (strict)" in Cloudflare.
• Congrats! You now have a Cloud Run app, behind a GCP load balancer, behind Cloudflare DNS / DDOS protection / CDN.