Adding Google Cloud Platform firewall rule for Vercel service

I'm currently hosting my database on a Google Cloud Platform VM and the serverless API which connects to it is hosted on Vercel.

I've managed to allow my IP in the GCP firewall but I'm having difficulties in allowing connections to the the database form the API.

The GCP firewall doesn't accept any non-IP values for the firewall, so I can't simply add my hostname.

I own the domain the API is using, but the IP is obviously controlled by Vercel. I've tried pinging my domain to find out Vercel's IP (76.76.21.21) and added that to my firewall as an IP Range 76.76.21.21/32, but my API still times out while trying to connect.

I've allowed all connections from Postgres so I know it can't be that.

Any idea on how I can allow my API through the firewall?

Solution 1:

I would recommend you to enable for a couple of hours the VPC and firewall logging in order to confirm the IP from Vercel API and then you can whitelist it, however I've found that Vercel deployments use dynamic IP addresses due to the dynamic nature of the platform, so, the IP will be changing all time.

You will must permit an open range in the GCP firewall rules 0.0.0.0/0 over the TCP/UDP ports you are using to consult your database in GCP, and to properly secure your database, they recommend using a randomly generated password, stored as an environment variable, at least 32 characters in length, and to rotate this password on a regular basis.

Please check the following links for further references.

[1]. https://vercel.com/knowledge/how-to-allowlist-deployment-ip-address [2]. https://cloud.google.com/vpc/docs/using-flow-logs#console [3]. https://cloud.google.com/vpc/docs/using-firewall-rules-logging#gcloud