Access internal Google Cloud Run app from AWS

Tailscale version: 1.32.3
Your operating system & version: Ubuntu 22.04

Hi folks, I’m trying to allow an ECS Fargate service to call Google Cloud Run without allowing public access to the Cloud Run service.

It seemed like the easiest way to do this was by allowing access over internal ingress. This is a clever piece of Google Cloud networking trickery that lets you call your Cloud Run app from a VPC in the same project.

My initial thought was to add a subnet router in the GCP VPC. Then, when I made a request to the Cloud Run URL, it would get routed through the subnet router.

However, what I realised is that Cloud Run apps don’t have an internal IP address. They have a public IP address, but will block external requests if you try to connect to them from outside of the VPC.

Does anyone have any clever ideas of how to route my requests to Cloud Run via the GCP VPC? My next idea was to set up an HTTP proxy like smokescreen in GCP. Then I could configure my requests to be proxied by smokescreen in GCP, which would then make the request to Cloud Run, originating from the VPC.