How to access Aiven services from Google Cloud Functions via VPC peering#
Once you have created a VPC on the Aiven platform and set up VPC peering on GCP, you can follow these instructions to create Serverless VPC access connector and Google Cloud Function.
By default, Google Cloud Functions can only access Internet and is not able to access your GCP VPC or Aiven VPC. For Google Cloud Functions to access VPC, Serverless VPC access connector is required. Under the hood, serverless VPC access connector consists of two or more Google-managed VM that forward requests (and perform NAT) from Cloud Functions to your GCP VPC and Aiven VPC.
First, create Serverless VPC access connector#
Open GCP console and under Navigation menu, Networking section, VPC network product, select Serverless VPC access
Click create connector.
Name: the connector name of your choice, 25 characters maximum
Region: must be the region that you are intended to create Cloud Function
Network: your GCP VPC, which should be peered to Aiven VPC already
Subnet: select “custom IP range” and enter a /28 private subnet that is not in use.
If you have allowed IP addresses configured on your Aiven service, please ensure the subnet of serverless VPC access connector is listed there
Create Cloud Function#
Open GCP console and under Navigation menu, Serverless section, select Cloud Functions
Click create function
Environment: your choice, or leave it to the default (2nd gen)
Function name: the name of your choice, 63 characters maximum
Region: must be the region that you have the serverless VPC access connector created
Click and expand the runtime, build connections and security settings section, select Connections tab, and select the serverless VPC access connector you have created.
Click Next
Select the runtime you prefer.
Pitfall: if you click test function here, you will not able to access VPC.
Click Deploy
Wait for GCP to deploy the cloud function. Once deployed, use source tab to edit the function if needed.
Pitfall: if you click test function under source tab, you will not able to access VPC.
Select testing tab and running test command in Cloud Shell can access VPC.
Troubleshooting#
If you cannot access your VPC or Aiven VPC from the Cloud Function, please consider using the following example for troubleshooting purposes.
# Cound Function 2nd gen, Python 3.11
import functions_framework
import socket
CLOUD_FUNCTION_KEY = 'gcf-aiven-test-CHANGE_ME_FOR_SECURITY_REASON'
@functions_framework.http
def hello_http(request):
request_json = request.get_json(silent=True)
if request_json and "cloud_function_key" in request_json and request_json["cloud_function_key"] == CLOUD_FUNCTION_KEY:
result = ""
try:
host = request_json['host']
port = request_json['port']
timeout = request_json.get('timeout', 10)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(timeout)
s.connect((host, port))
result = "OK"
except Exception as e:
result = repr(e)
pass
return 'Result: {}\n'.format(result)
return "HTTP 401\n", 401
The request body should contain
CLOUD_FUNCTION_KEY: Change this to protect your Cloud Function endpoint, especially if it does not require authentication.
“host”: FQDN or IP address if your Aiven service or VM in your GCP VPC.
“port”: Destination TCP port number.
for example (e.g. in the testing tab in your Cloud Function)
{
"cloud_function_key": "gcf-aiven-test-CHANGE_ME_FOR_SECURITY_REASON",
"host": "fqdn-or-ip-to-your-aiven-service.a.aivencloud.com",
"port": 12345
}
It will return “OK” if it can establish TCP 3-way handshaking. “TimeoutError” if it cannot reach the port specified.
If you need help, please contact Aiven support. You can also provide your Cloud Function endpoint and CLOUD_FUNCTION_KEY so it would be more efficient for us to troubleshoot for you.