GCP Setup
1. Go to your Cloud Run dashboard in your new GCP project
- Click "Create service".
- Select "Continuously deploy new revisions from a source repository".
- Select "Set up with Cloud Build".
- Follow the wizard with default settings, selecting Dockerfile as your Build Type (this will need Cloud Build APIs enabled).
- Back to main service creation wizard. Some suggested settings:
- CPU is only allocated during request processing
- "Autoscaling" -- Min: 1; Max: 10
- "Ingress control" -- All
- "Authentication" -- Allow unauthenticated invocations
- Expand the "Container(s), Volumes, Networking, Security" section.
- Under the "Container(s)" --> "Settings" tab:
- Choose your container default resources (e.g., 512MiB memory, 1 vCPU).
- Add a "Health Check" --> "Liveness Check" --> Probe type "HTTP" --> Path "/healthz"
- Under the "Container(s)" --> "Variables & Secrets" tab:
- Add environment variables.
- Click "Create". Your build will fail! We need to enable Cloud Run admin permissions.
2. Go to "Cloud Build" --> "Settings"
- Under "Service account permissions", set "Cloud Run Admin" to "ENABLED".
- If you get an "Additional steps may be required" popup, click "Grant access to all service accounts".
3. Go to "Cloud Build" --> "Triggers"
- Find the trigger connected to your Cloud Run service (it's probably the only one there) and click "RUN".
- Stick with the default settings in the drawer and click "RUN TRIGGER". It will fail again! We need to enable the IAM API.
4. Go to "APIs & Services" --> "Library"
- Search for "IAM" and click on "Identity and Access Management (IAM) API"
5. Go back to "Cloud Build" --> "Triggers" page
- Click "RUN" again, and then click "RUN TRIGGER" again.
- It should work. If it doesn't, you may need to:
- Wait a few minutes for the IAM API to get fully enabled; AND/OR - Debug something in your build.
- We now have a Cloud Run service, that is connected to a Cloud Build trigger, that is connected to a GitHub repo.
6. Go to "Cloud Run" --> "Services"
- Click into your service.
- Confirm the build worked (you should now have a live URL to visit).
- If you don't, go back to the last step and debug.
- Now we need to add a load balancer.
7. Go to "APIs & Services" --> "Library"
- Search for "Compute Engine" and click on "Compute Engine API"
- Click "Enable". This one can take some time.
8. Go to "Network services" --> "Load balancing"
- Click "Create Load Balancer"
- Select "Application Load Balancer (HTTP/S)"
- Make your load balancer internet-facing.
- Set the type to "Global external Application Load Balancer"
- Click "Continue"
- Now configure the Frontend
- Settings:
- Protocol: "HTTPS"
- IP address:
- Click "Create IP address" to reserve a static IP address
- Port: "443"
- Certificate:
- Click "Create a new certificate"
- Under "Create mode", choose "Upload my certificate"
- Go to Cloudflare.
- In Cloudflare, under your site, go to "SSL/TLS" --> "Origin Server"
- Create a new certificate
- Save the Origin Certificate and Private Key to a safe place (e.g., a password manager)
- Go back to the GCP Wizard.
- Paste the Origin Certificate and Private Key from Cloudflare into the corresponding fields in the GCP wizard - Click "CREATE"
- Check the box for "Enable HTTP to HTTPS redirect"
- IMPORTANT: This option does not show when editing, only when creating, so don't miss it.
- Click "DONE"
- Now configure the Backend
- Click into the "Backend services & backend buckets" dropdown --> "CREATE A BACKEND SERVICE"
- Settings:
- Backend type: "Serverless network endpoint group"
- Under "Backends" --> "New backend":
- Click into the "Serverless network endpoint groups" dropdown --> "CREATE A SERVERLESS NETWORK ENDPOINT GROUP"
- Settings:
- Set "Region" to the region your Cloud Run service is in
- Set the "Serverless network endpoint group type" to "Cloud Run"
- Select your Cloud Run service from the "Service" dropdown
- Click "CREATE"
- Leave "Enable Cloud CDN" unchecked. We will use Cloudflare instead.
- Click "CREATE"
- Click "OK" back in the "Backend services & backend buckets" dropdown
- Leave "Routing rules" as default. It might be good to go back and double check that you have HTTP --> HTTPS redirect enabled.
- If everything looks good, click "CREATE"
- Once finished, you should see two load balancers, the one you just created, and an HTTP --> HTTPS redirecter that was automatically created for you.
- Click into the one you just created (not the redirecter).
- Copy the IP address. We will use this in Cloudflare.
- Go to Cloudflare --> "DNS" --> "Records"
- Create an "A" record with a name of "@" that points to the IP address you just copied
- Turn Cloudflare proxying on!
- Create a "CNAME" record with a name of "www" that points to "@"
- Turn Cloudflare proxying on!
- Give it a minute to propogate.
- Check that all four versions of your domain name ultimately result at "https://example.com"
- Check that Cloudflare proxying is working by looking for the "Cf-Cache-Status" header in the response.
- Also double check that you have "SSL/TLS" encryption mode set to "Full (strict)" in Cloudflare.
- Congrats! You now have a Cloud Run app, behind a GCP load balancer, behind Cloudflare DNS / DDOS protection / CDN.