I created a Redis instance using https://console.cloud.google.com/launcher/details/bitnami-launchpad/redis-ha

and the network interface is:

I'm trying to connect to this Redis instance from a Firebase trigger.

The question is: what firewall rule do I need to connect from a cloud function to a compute instance?

Please provide as many details as possible, e.g. IP ranges, ingress/egress, etc, and whether I have to connect the Redis client to the instance on the internal IP, or the external IP.

This is the code:

const redis = require('redis');

let redisInstance = redis.createClient({
    /* surely external IP needn't be used
       here as it's all GCP infra? */
    host: '10.1.2.3',
    port: 6379
})

redisInstance.on('connect', () => {
    console.log(`connected`);
});

redisInstance.on('error', (err) => {
    console.log(`Connection error ${err}`);
});

The error in the log is

Connection error Error: Redis connection to 10.1.2.3:6379 failed - connect ETIMEDOUT 10.1.2.3:6379

I've looked at Google Cloud Function cannot connect to Redis but it's not specific enough about the options when setting up a rule.

What I've tried

I tried to set up a firewall rule with these settings:

• ingress
• network: default
• source filter: my firebase service account
• protocols/ports: all
• targets: all

Just a note about the service account:

• created by Firebase
• has the Editor role in IAM
• is known to work with BigQuery and other Firebase services from my Firebase triggers

This same firewall rule has been in effect for a few hours now, and I've also redeployed the trigger which tests Redis, but still getting ETIMEDOUT

UPDATES

2018-06-25 morning

I phoned GCP Gold support and the problem isn't obvious to the operator, so they'll open a case, investigate, and leave some notes.

2018-06-25 afternoon

Using a permissive firewall rule (source 0.0.0.0/0, destination "all targets") and connecting to the Redis instance's external IP address works (of course!). However, I mentioned many times now on the phone call I don't want the Redis instance to be open to the Internet, and if there's some sort of solution involving a networking bridge/VPN so I can connect to the 10.x.x.x address from the Cloud Function.

The operator said they'll get back to me in 2 days.

2018-06-25 bit later in the afternoon

I've self-answered that it doesn't seem to be possible to connect to a Compute Engine internal IP from a cloud function.

It looks like it's NOT currently possible to connect to Google Compute Engine internal IP from Google Cloud Funtions so all my (and my helpful Gold support operator's) efforts have been in vain.

Here's the (open) issue: https://issuetracker.google.com/issues/36859738

As it is explained in the question you referred to, when you create a new firewall rule you change the Source Filter field from IP ranges to Service Account. In the following step you won't need to specify any IPs, only the name of the service account for Cloud Functions.