|
|
|
|
|
|
by crashedsnow
2381 days ago
|
|
|
Curious as to why having an external IP/URL is a problem. If you're using almost any cloud service that has an API for adminstration (e.g. an API to tear down a VM), then is that really different to a public endpoint secured with platform-managed authentication? (which Cloud Run provides). Is it because you need firewall rules? |
|
|
True, a cloud has an API, and that tends to be public rather than private, and that doesn't play well with the above approach.
There are some band-aids for this, such as Google Cloud's VPC service controls, which restricts which clients can access the Cloud API, providing a second layer of defence to IAM.
Personally I find this approach retrograde, because it assigns an element of trust to entities within the perimeter, whereas the BeyondCorp zero-trust approach does not, and plays well with the way public clouds have been designed (public endpoints).