Google Cloud Scheduler can be used to hit the http endpoint associated with a Google Cloud Function, so that you can run your function off a timer/scheduler. Cloud Functions have two options for their exposure: (1) Allow all traffic or (2) Allow internal traffic only (Only traffic from within the same project or VPC SC perimiter allowed). I'd like to do the latter, but the scheduler fails to access it with an HTTP 403.
With being open to all traffic, then it just remains for someone to guess my URL and they can trigger it as much as they wish. Now, of course, I can put authentication into my function and have Scheduler pass an appropriate header, but my function is not dangerous for someone else to trigger. However, if someone else can trigger it, they can call it as much as they want, and even with authentication, it will still incur charges for all those invocations. I want to ensure no one else besides Scheduler (ideally) can even reach the URL, so it is not triggered except on my schedule. Is there some way to make this possible?
According to the official documentation:
Cloud Scheduler overview
Therefore find the location of your app engine application by running:
Then make sure that you deploy your cloud function with Ingress Settings to "Allow internal traffic only" to the same location as your app engine application.
I deployed a cloud function on the same region as my app engine application and everything worked as expected.