Simple BFF demo with Cloud Run

A demo application shows Simple BFF (Backends For Frontends) with Cloud Run.
The requests from BFF go through Serverless VPC Access and your VPC, internally reach out to Backend APIs.

How to use

1. Preparation

Set your preferred Google Cloud region name.

export REGION_NAME={{REGION_NAME}}

Set your Google Cloud Project ID

export PROJECT_ID={{PROJECT_ID}}

Set your Artifact Registry repository name

export REPO_NAME={{REPO_NAME}}

Set your VPC name

export VPC_NAME={{VPC_NAME}}

Enable Google Cloud APIs

gcloud services enable \
  run.googleapis.com \
  artifactregistry.googleapis.com \
  cloudbuild.googleapis.com \
  vpcaccess.googleapis.com \
  cloudtrace.googleapis.com

2. build container images

Note: please make your own Artifact Registry repo in advance, if you don't have it yet.

Build Backend image

git clone git@github.com:kazshinohara/simple-bff-demo.git

cd simple-bff-demo/backend

gcloud builds submit --tag ${REGION_NAME}-docker.pkg.dev/${PROJECT_ID}/${REPO_NAME}/backend:v1

Build BFF image

cd ../bff

gcloud builds submit --tag ${REGION_NAME}-docker.pkg.dev/${PROJECT_ID}/${REPO_NAME}/bff:v1

3. Prepare Serverless VPC Access Connector

Create a subnet in your VPC, which will be used by Serverless VPC Connector.
You can choose your preferred CIDR range, but it must be /28 and the one which is not used by other resources.

gcloud compute networks subnets create serverless-subnet-01 \
--network ${VPC_NAME} \
--range 192.168.255.0/28 \
--enable-flow-logs \
--enable-private-ip-google-access \
--region ${REGION_NAME}

Create a Serverless VPC Access Connector.

gcloud compute networks vpc-access connectors create bff-internal \
--region ${REGION_NAME} \
--subnet serverless-subnet-01

Confirm if the connector has been created.

gcloud compute networks vpc-access connectors describe bff-internal \
--region ${REGION_NAME}

4. Deploy containers to Cloud Run (fully managed)

Set Cloud Run's base configuration.

gcloud config set run/region ${REGION_NAME}
gcloud config set run/platform managed

Deploy Backend A

gcloud run deploy backend-a \
--image=${REGION_NAME}-docker.pkg.dev/${PROJECT_ID}/${REPO_NAME}/backend:v1 \
--allow-unauthenticated \
--set-env-vars=VERSION=v1,KIND=backend-a \
--ingress internal

Deploy Backend B

gcloud run deploy backend-b \
--image=${REGION_NAME}-docker.pkg.dev/${PROJECT_ID}/${REPO_NAME}/backend:v1 \
--allow-unauthenticated \
--set-env-vars=VERSION=v1,KIND=backend-b \
--ingress internal

Deploy Backend C

gcloud run deploy backend-c \
--image=${REGION_NAME}-docker.pkg.dev/${PROJECT_ID}/${REPO_NAME}/backend:v1 \
--allow-unauthenticated \
--set-env-vars=VERSION=v1,KIND=backend-c \
--ingress internal

Get all of backend's URLs

export BE_A=$(gcloud run services describe backend-a --format json | jq -r '.status.address.url')

export BE_B=$(gcloud run services describe backend-b --format json | jq -r '.status.address.url')

export BE_C=$(gcloud run services describe backend-c --format json | jq -r '.status.address.url')

gcloud run deploy bff \
--image=${REGION_NAME}-docker.pkg.dev/${PROJECT_ID}/${REPO_NAME}/bff:v1 \
--allow-unauthenticated \
--set-env-vars=VERSION=v1,KIND=bff,BE_A=${BE_A},BE_B=${BE_B},BE_C=${BE_C} \
--vpc-connector bff-internal \
--vpc-egress all-traffic

Get BFF's URL

export BFF_URL=$(gcloud run services describe bff --format json | jq -r '.status.address.url')

5. Check behavior

If you could see the following output, it indicates that BFF talks with Backends via the connector.

curl -X GET ${BFF_URL}/bff | jq

{
  "backend_a_version": "v1",
  "backend_b_version": "v1",
  "backend_c_version": "v1"
}

In the end, let's see tracing information via Cloud Console.
This sample application has Cloud Trace integration, you can see the span between bff and backends like below.