Reading Time: 13 minutes

Anypoint Flex Gateway is a fast, lightweight API gateway designed to manage and secure APIs running anywhere. One option for deployment is Google Cloud Run, Google’s serverless container environment.  

Reasons to use Google Cloud Run as your deployment environment: 

  • Autoscaling without Kubernetes – less technical expertise required 
  • Cost savings with autoscaling down to the minimum required compute 
  • Easy deployment environment 
  • Minimize latency and spin up worldwide instances easily 
  • Scale to zero in non-prod environments 

Reasons you might not want to use Cloud Run:

  • Cold starts: If you let Cloud Run do autoscaling with defaults, it’s likely you’ll hit a cold start 

Step-by-step deployment guide for MuleSoft Flex Gateway on Google Cloud Run

Going through this step-by-step guide, we make the following assumptions: 

  • You have an Anypoint Platform account
  • You have a Google Cloud account
  • You have access in your Google Cloud account to Cloud Run and Secret Manager

You’re going to set up a Flex Gateway replica in Google Cloud Run, reading the config file from Google Secret Manager. It will be a “hello-world”-style experience. 

1. Set up Google Cloud Platform

We assume you have a Google Cloud Platform account. If you don’t, get started before moving through this guide. Once you’re logged in, add a credit card for billing and create a project.

2. Install Gcloud CLI

In short, download the files, install them, and run “gcloud init”. Then log into your account and pick your project. For more detailed instructions, view the installation doc on Google.

3. Set up MuleSoft Flex Gateway configuration file

Anypoint Platform >> Runtime Manager >> Flex Gateways >> Add Gateway >> Container >> Docker 

Run the second command with your <gateway-name>. This will generate a registration.yaml file in your folder.

This is a necessary config file for starting up Flex Gateway. Connected=true (connected mode) means you’re managing the APIs through Anypoint Platform and Connected=false (local mode) means you’re managing the APIs on your own (likely through Kubernetes in config files). You can also use local mode for locally testing custom policies. 

[pre and code]```bash

docker run --entrypoint flexctl -u $UID \

  -v "$(pwd)":/registration mulesoft/flex-gateway \

  registration create --organization=[your orgId] \

  --token=[your token] \

  --output-directory=/registration \

  --connected=true \

  <gateway-name>

```

4. Use GCP Secrets to mount the registration.yaml file

First you save the file in GCP Secret Manager, then later you mount the config as a secret at runtime. This is how you’ll achieve the plain Docker equivalent of mounting the registration.yaml file as a volume.

Save the registration.yaml file as a secret

  • Data file can be a relative path or fullpath 
[pre and code]```gcloud secrets create registration-yaml --data-file=registration.yaml```
  • Allow access to secret manager API 
[pre and code]```bash

API [secretmanager.googleapis.com] not enabled on project [proj-name]. Would you like to enable and retry (this will take a few minutes)? (y/N)?  y

Enabling service [secretmanager.googleapis.com] on project [proj-name]...

Operation "operations/acat.p2-1021468383212-ec256812-4aa9-4983-889c-43c746dd7f41" finished successfully.

Created version [1] of the secret [registration-yaml].

```

Grant Secret Manager permissions to Cloud Run service account

Save your service account email to the environment variable SERVICE_ACCOUNT 

[pre and code]```export SERVICE_ACCOUNT="[id]-compute@developer.gserviceaccount.com"```

Grant the Secret Manager Secret Accessor role 

[pre and code]```bash

gcloud projects add-iam-policy-binding thingwin-com3 \

    --member="serviceAccount:$SERVICE_ACCOUNT" \

    --role="roles/secretmanager.secretAccessor"

```

Verify the permissions 

[pre and code]```bash

gcloud projects get-iam-policy thingwin-com3 \

    --flatten="bindings[].members" \

    --format='table(bindings.role)' \

    --filter="bindings.members:$SERVICE_ACCOUNT"

```

Upon success, you should see something like this: 

[pre and code]```bash

ROLE

roles/editor

roles/secretmanager.secretAccessor

```

5. Run the command to build and deploy Flex Gateway

Note the flag –allow-unauthenticated, which means the endpoint is publicly available. When you run it in production, you can protect your Cloud Run hosted Flex Gateway with authentication at the Cloud Run level and also protect your apps behind Flex Gateway with authentication via policies on Flex Gateway. 

Using these default settings you have a 1vCPU 512MB RAM container deployed in the Sydney, Australia region, exposing port 8081 with a minimum of one instance running. 

512MB RAM is the minimum required to run a Flex Gateway. In this test, we tried 256MB, and it would get Out of Memory errors. Cloud Run is a “serverless” offering that turns off (times out) after 15 minutes (900 secs) by default. If the container turns off, then Anypoint Platform won’t think it’s online and you won’t be able to use it or configure policies on it. 

If it turns off, visit your endpoint to start the Flex Gateway again, but it doesn’t make sense for a high performance gateway to turn off at any time, so you might only let it turn off for non-prod environments. 

[pre and code]```bash

gcloud run deploy <cloud-run-gateway-name> \

  --image docker.io/mulesoft/flex-gateway:latest \

--set-secrets=/usr/local/share/mulesoft/flex-gateway/conf.d/registration.yaml=registration-yaml:latest \

  --allow-unauthenticated \

  --region australia-southeast1 \

  --min-instances 1 \

  --port 8081

```

The deployment will be stuck in a restart loop because Cloud Run’s health check is a TCP probe to the port you specified. In this case, it’s 8081. Flex Gateway doesn’t start listening on any particular port until a policy gets passed to it. So your Cloud Run instance won’t get the tick of success yet. Don’t worry, you’ll run the next steps and get it unstuck.

6. Set up an API to manage in Anypoint Platform

Anypoint Platform >> API Manager >> Add API >> Add new API >> Select Flex Gateway Runtime >> Pick the gateway name we just setup >> Next 

Create a new API – we’re going to use the catfacts API. 

Configure Downstream 

The port must match the port you expose in Cloud Run, in this case 8081. We’ll use /cf as the basepath. Base path will determine the path to access that particular API. For example, if we want to protect multiple APIs with one Flex Gateway, the logical way to do it will be via base path. Say /app1, /app2 and /app3 to protect 3 separate apps with Flex Gateway. Each API to protect will have its own base path.

Configure Upstream

The Upstream URL is the only field that’s required. Here it’s the free cat facts API, but you’ll put your own endpoint here. 

Then at the Review page, Save and Deploy. 

7. Apply a Policy

As soon as you apply a policy, you’ll see your Cloud Run instance get the tick of success. Pick something simple like rate limiting and set it as you like. 

Here are 20 out-of-the-box policies to help you on your way. You can also create custom policies as required. 

You’re now ready to use Flex Gateway on Google Cloud Run. 

Testing and verifying the deployment 

Google Cloud Run serves your app via HTTP and HTTPS with standard ports 80 and 443. So you can test via the API endpoint that Cloud Run give us and the base path that you set up in Anypoint API Manager.

Example working endpoint 

[pre and code]```curl https://flexgw-cloud-run2-[id].australia-southeast1.run.app/cf/```

Take note of the trailing slash, Flex Gateway requires trailing slash for all endpoints. 

Manage and secure your APIs 

Deploying MuleSoft Flex Gateway on Google Cloud Run offers a streamlined path to managing and securing your APIs without the complexity of Kubernetes infrastructure. Your organization can benefit from Cloud Run’s auto-scaling capabilities and cost-effective compute resources while maintaining robust API management through Anypoint Platform.

While cold starts may present a consideration for your use case, the tradeoff between simplicity and startup time might be worthwhile for many business scenarios. The step-by-step deployment process you’ve learned here enables you to:

  • Leverage serverless architecture for your API gateway
  • Maintain secure configuration through Google Secret Manager
  • Scale your API management infrastructure automatically
  • Reduce operational overhead compared to traditional deployments

To learn more, check out the following resources: