This page shows how to use NGINX as a frontend proxy for your application container. This is useful if you want to process requests or responses. You can add gzip compression, or translate HTTP/2 to HTTP/1 if your application containers supports only HTTP/1 and you need to use HTTP/2 end-to-end for performance reasons.
In the example provided in this page, an Nginx container runs on every Cloud Run instance as the main serving container, and it is configured to forward requests to the application container, which runs as a sidecar container, as shown in this diagram:
The most effective way to do frontend proxying in Cloud Run is to deploy the Nginx server proxy server container and the web app container as a single Cloud Run service:
This single Cloud Run service accepts requests and delivers them to the ingress (serving) container, which
in this case is the proxy server. The proxy server then sends requests to the web app over the localhost
network
interface, which avoids any external network.
Deploying as a single Cloud Run service reduces latencies, service management overhead, and eliminates exposure to external networks. Cloud Run does not directly interact with the sidecar containers, other than to start or stop them whenever the service is started or stopped.
The web app container and any sidecar containers can be written in different programming languages. For a sample written in PHP, see the PHP nginx sample in GitHub.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Verify that billing is enabled for your Google Cloud project .
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Verify that billing is enabled for your Google Cloud project .
-
Enable the Cloud Run and Secret Manager APIs.
- Install and initialize the gcloud CLI .
- Update Google Cloud CLI:
gcloud components update - Configure Google Cloud CLI:
gcloud init - Authenticate with Google Cloud CLI:
gcloud auth login
Permissions required to deploy
You must have ONE of the following:
- Both the Cloud Run Admin and Service Account User roles
- Any custom role that includes this specific list of permissions
Configuration overview
These instructions use prebuilt container images, so the only thing required for frontend proxying is to configure the containers and the service itself.
Configure the Nginx ingress container
The container image is nginx
available at Docker Hub
.
It is mostly ready to use as is, except it needs to be configured to run as a
proxy service, delivering the proxied requests to the port where the sidecar container is
listening on localhost
. The example on this page also enables gzip compression for
requests and responses.
Configuration is provided using a text file mounted
at /etc/nginx/conf.d/nginx.conf
. Because you can't directly edit files in the
container, you must mount a volume at /etc/nginx/conf.d/
that contains
the configuration file. One way to mount a file at a specific location in a
container running on Cloud Run is to store the file content in a
Secret Manager secret, and mount that secret at the selected location.
Copy the following in a file named nginx.conf
on the current directory of your local machine.
In the configuration, do the following:
- Assign
nginxto listen at the same Cloud Run default port8080, located onlocalhost. - Apply gzip compression for performance enhancement.
- Instruct
proxy_passto deliver any requests to this ingress container to the web app sidecar container at localhost port8888.
Create a secret with the content of the nginx.conf
file.
Console
-
Go to the Secret Managerpage of the Google Cloud console:
-
Click Create secret.
-
In the
nameform field, enter nginx_config. -
Upload the
nginx.conffile located atmulti-container/hello-nginx-sample/nginx.confas the secret value. -
Keep the defaults (
Google-owned and Google-managed encryption key, etc). -
Click Create secret.
-
Grant the project compute service account access to this new secret. To do this, go to the IAMpage in the Google Cloud console:
-
Locate the principal service account with name:
Compute Engine default service accountand click Edit principal. -
Click Add another roleand select Secret Manager Secret Accessor.
-
Click Save.
gcloud
-
In a terminal, use the following command to create a new
nginx_configsecret in Secret Manager:gcloud secrets create nginx_config --replication-policy = 'automatic' --data-file = './nginx.conf'
-
Grant the project compute service account access to this new secret using the command
export PROJECT_NUMBER = $( gcloud projects describe $( gcloud config get-value project ) --format = 'value(projectNumber)' ) gcloud secrets add-iam-policy-binding nginx_config --member = serviceAccount: $PROJECT_NUMBER -compute@developer.gserviceaccount.com --role = 'roles/secretmanager.secretAccessor'
-
Verify that your secret was created by running
gcloud secrets list.
About the web app sidecar sample image
These instructions use the sample container image at us-docker.pkg.dev/cloudrun/container/hello
. You need to
specify the port number the container will listen on and localhost
as the host, as described under Specify sidecar container configuration
, as described in the following sections.
Configure the multi-container service
You can use the Google Cloud console or the Cloud Run YAML file to configure a Cloud Run service with more than one container.
In the service configuration, specify the Nginx proxy server as ingress (serving) container, the port it will listen on, whether it accepts HTTP 1 or HTTP 2 requests, and the container start order. The ingress container (proxy server) depends on the web app sidecar, so the web app sidecar must be started first.
These configurations are shown in the next few sections.
Add YAML metadata
Console
Navigate to Deploy the service for the full console instructions.
YAML
-
If you are creating a new service, skip this step. If you are updating an existing service, download its YAML configuration :
gcloud run services describe SERVICE --format export > service.yaml
-
In
service.yaml, add the following:
The section describes the revision of the service, which includes properties that could vary from revision to revision.
Specify container start-up order
Console
Navigate to Deploy the service for the full console instructions.
YAML
In service.yaml
, append the following:
Note the container-dependencies
annotation that tells Cloud Run to wait for the hello container to start up
before starting the nginx container. Otherwise, if the nginx container starts first, it could try to proxy a web request to the web app container that isn't ready, which would generate web error responses.
Each container can optionally have a name property defined for it, that can be used to refer to it in other directives.
The serving container runs the proxy server, named nginx
. This is the container that Cloud Run delivers incoming requests to
so you must specify the version of HTTP
and container port to deliver them to.
Specify serving container configuration
Console
Navigate to Deploy the service for the full console instructions.
YAML
In service.yaml
file, append the following:
The nginx
server requires a configuration file in the /etc/nginx/conf.d/
directory. To do this, mount a volume containing the file at that location. The volumeMount
section specifies a volume called configuration
to be placed there. The volume itself is defined in its own section later in the file.
Specify sidecar container configuration
Console
Navigate to Deploy the service for the full console instructions.
YAML
In service.yaml
, append the following:
The hello
application also needs configuration information. It listens for incoming requests at the port specified in the PORT
environment variable. That name and value are specified in the env
section.
Specify the secret volume
Console
Navigate to Deploy the service for the full console instructions.
YAML
In service.yaml
file, append the following:
Specify the configuration volume
mounted in the volumeMount
section. It contains a single file called nginx.conf
whose contents are defined
as the value of the secret named nginx-conf-secret
.
Deploy the service
Console
-
Go to the Cloud Runpage in the Google Cloud console:
-
Select Servicesfrom the menu, and click Deploy containerto display the Create serviceform.
- Select Deploy one revision from an existing container imageand enter
nginxas Container image URL. - In the Service namefield, supply a name for your service, for example,
hello-mc. - From the Regionlist, select a location to deploy to, for example,
us-west1. - Under Authentication, select Allow public access. If you don't have permissions (Cloud Run Admin role) to select this, the service will deploy and require authentication.
- Select Deploy one revision from an existing container imageand enter
-
Click Container(s), Volumes, Networking, Securityto expand the configuration form.
- Click the Volumestab.
- Click Add volume.
- From the Volume typelist, select Secret.
- In the Volume namefield, enter
nginx-conf-secret. - In the Secretfield, enter nginx_config.
- Under Specified paths for secret versions, specify default.confas the path and latestas the version.
- Click Createto create the secret volume.
-
Click the Containerstab to display the Edit containerform.
- Click Settings, then under Resources, change memory to 256MiBand CPU to 1 CPU.
- Click Volume mounts.
- Click Mount volume.
- Select nginx-conf-secretfrom the name list.
- For Mount path, enter etc/nginx/conf.d.
- Click Doneto complete configuration for the first container.
-
Click Add containerto add the sidecar container and display the New containerform.
- Select the default container image URL us-docker.pkg.dev/cloudrun/container/hello
- Click the Settingstab, then under Resources, change memory to 256MiBand CPU to 1 CPU.
- Click Variables & Secrets.
- Click Add variable.
- Enter PORTas the new environment variable name and 8888as the value.
- Click Done.
-
Navigate to the Edit containerform for the first container (
nginx).- Click the Settingstab.
- Under Container start up order, select
nginxfrom the Depends onlist. This means thenginxcontainer starts up only after thehellocontainer starts up successfully. - Click Createand wait for your service to deploy.
YAML
To deploy the proxy server container and web app container as a single service:
gcloud run services replace service.yaml
Verify the deployed service
To verify successful deployment copy the generated Cloud Run URL and open it in a browser, or use this command to send an authenticated request:
curl --header "Authorization: Bearer $( gcloud auth print-identity-token ) " SERVICE_URL
You should be greeted with a nginx proxy that
has successfully ported to the hello sidecar container with
response status 200
.
Try this yourself
To follow along with this tutorial:
gcloud
-
In a terminal, clone the sample app repository to your local machine:
git clone https://github.com/GoogleCloudPlatform/cloud-run-samples
-
Change to the directory that contains the Cloud Run sample code:
cd cloud-run-samples/multi-container/hello-nginx-sample/
What's next
To explore more about using sidecars in a Cloud Run service:
