For Cloud Storage, a feature request is currently presented which will enable access restriction to Google Cloud Storage by IP address. Since this is yet to be confirmed nor implemented, a workaround will be by using VPC Service Controls which you may follow through this documentation.
Another workaround is to set up an HTTPS Load Balancer with your bucket as the backend and a Cloud Armor Policy that will filter the ingress IP address trying to connect to Cloud Storage. This is discussed in another post.
Unfortunately for API Gateway, it does not support ingress filters such as Internal or Internal and Cloud Load Balancing ingress restriction settings. This is an API Gateway’s behavior, as it is not part of the VPC Network in which the Cloud Run service is located. You should be able to use the API Gateway as a backend for your Load Balancer but you will not be able to filter ingress traffic from the Load Balancer by their incoming IPs as the ingress restriction is set to All which allows all requests, including requests directly from the internet to the run.app URL. A feature request is also presented for this through this link. An alternative that you can explore would be Identity Aware Proxy for Cloud Run as discussed from this document.
To keep track of the status/progress of the feature request(s) mentioned, please follow the respective feature request links and click the +1 and the star button to get notified about their updates.
