Category
Google Cloud Run 本番運用ガイド(コンテナ契約・並行性/スケールトゥゼロ・リクエスト課金/インスタンス課金・リビジョンとトラフィック分割・最小権限SAとSecret Manager・Direct VPC egress・コスト最適化・技術選定)
Cloud Runは『コード・関数・コンテナをGoogleのインフラ上で動かす』フルマネージドのサーバーレス基盤で、ノードもクラスタも持たずにコンテナを本番運用できます。本クラスタは、Cloud Runを採用した後の『どう本番で作るか』に集中します——$PORTで0.0.0.0待受・SIGTERMで10秒以内に後始末・状態を持たない・重い処理はJobs/Workflowsへ切り離すというコンテナ契約、原価とスケールを決める並行性(既定80・最大1000)、60%使用率を目標にゼロまで縮むオートスケールと最小/最大インスタンス、リクエスト課金とインスタンス課金を稼働率で選ぶコスト設計、リビジョンの不変スナップショットを使ったトラフィック分割(カナリア→Blue/Green→即時ロールバック)、startup/livenessプローブ、サービスごとの最小権限サービスアカウントとSecret Manager(環境変数=起動時固定/ボリューム=常に最新)・認証必須・Cloud Armor、コネクタ常駐費を消すDirect VPC egress、そしてCloud Run/GKE Autopilot/App Engine/Cloud Run functionsの技術選定まで——可観測性・回復性・冪等性・最小権限・コスト効率・テスト容易性を軸に体系化します。国内大手放送事業者の社内AIプラットフォームをGCP上にTerraformでIaC構築し、Cloud Run(サービス+ジョブ)でFastAPI・音声合成・OCRパイプライン・ClamAVマルウェアスキャナを本番運用し、Workload Identity Federationで鍵レスCI/CDを組んだ知見を根拠に、Google Cloud公式ドキュメントに忠実な実コードで解説します。AWS ECS on Fargate・Azure Container Appsとのクロスクラウドの勘所は地続きで、各クラスタからも相互に参照できます。
7 articles in total
Foundational guide
Foundational guide (start here)
Google Cloud Run Production-Operations Guide: Container Contract, Concurrency, Auto-Scale, Deploy, Cost, and Security in Real Code
A Cloud Run production-operations guide faithful to the Google Cloud official documentation. From the container contract (PORT/SIGTERM), concurrency (default 80, max 1000), scale-to-zero, request billing and instance billing, traffic splitting by revisions (Blue/Green, canary), health checks, least-privilege service accounts and Secret Manager, to Direct VPC egress — systematized with real gcloud, Terraform, and FastAPI/Node code.
Related practical articles
- GCPCloud Runコスト最適化オートスケールサーバーレス
Cloud Run concurrency, autoscaling, billing model, and cost optimization: conquering scale-to-zero and cold starts in real code
An explanation, faithful to the official spec, of the three factors that determine Cloud Run cost — concurrency (default 80, max 1000), autoscaling (60% utilization target, scale-to-zero), and the billing model (request-based vs. instance-based). It systematizes, with gcloud/Terraform real code: cold-start countermeasures (min instances, startup CPU boost, gen1/gen2, slim images), break-even estimation, and a cost-optimization checklist.
11 min read - GCPCloud RunCI/CDDevOpsWorkload Identity
Cloud Run CI/CD: keyless, Blue/Green, and canary in real code with Cloud Build / GitHub Actions × Workload Identity
An implementation guide for building production-quality continuous deployment to Cloud Run. It explains, with real code in cloudbuild.yaml, GitHub Actions, and gcloud: Artifact Registry, when to use Cloud Build vs. GitHub Actions (keyless via Workload Identity Federation), verifying first with --no-traffic + a tag URL then canary → Blue/Green → instant rollback, separating DB migrations into a job, and dividing responsibilities with Terraform.
7 min read - GCPCloud RunCloud Workflowsバッチ処理冪等性
Cloud Run Jobs and Cloud Workflows: designing long-running batch and parallel processing to be idempotent and resumable
An implementation guide to building processing unsuited to HTTP (batch, long-running jobs, parallel processing) at production quality with Cloud Run Jobs and Cloud Workflows. It explains, in gcloud/YAML/Python real code: sharding with --tasks/--parallelism, splitting with CLOUD_RUN_TASK_INDEX, idempotent/resumable design with deterministic IDs, cron execution with Cloud Scheduler and event-driven with Eventarc, and Workflows' parallelism, retries, and error handling.
8 min read - GCPCloud RunセキュリティネットワークCloud Armor
Cloud Run networking and security: defense in depth with Ingress control, IAM auth, Direct VPC egress, and Cloud Armor
An implementation guide for locking down Cloud Run's entrance and exit at production quality. It explains, as defense in depth in real gcloud/Terraform code: Ingress settings (all/internal/internal-and-cloud-load-balancing), service-to-service authentication with IAM (roles/run.invoker, ID tokens), Cloud SQL private-IP connection via Direct VPC egress, Cloud Armor in front of an external load balancer (OWASP WAF, rate limiting, adaptive DDoS), least-privilege service accounts, and Secret Manager.
8 min read - GCPCloud Runトラブルシューティング可観測性サーバーレス
Cloud Run troubleshooting compendium: causes and fixes for start failures, 503/504, OOM (exit 137), cold starts, and deploy failures
A practical guide to fixing common production Cloud Run errors by cause, with the exact official messages. From 'Container failed to start and listen on the port defined by the PORT environment variable,' exit 137 (OOM) from memory overrun, 503 'no available instance,' 504 request timeout, and image-pull permission errors to slow cold starts — it explains with diagnosis steps and gcloud/code fixes.
7 min read - GCPCloud RunGKEApp Engineサーバーレス
GCP container/compute tech selection: how to choose among Cloud Run / GKE Autopilot / App Engine / Cloud Run functions
A tech-selection guide to decide 'where to run your code' on GCP. It compares Cloud Run, Cloud Run functions (formerly Cloud Functions), App Engine, GKE/GKE Autopilot, and Compute Engine from the official recommendations and a real-operations view. With scale-to-zero, Kubernetes-specific features, the billing model, and migratability as axes, it explains with a decision flowchart and a cross-cloud mapping to AWS/Azure, from both the buyer's and developer's perspectives.
9 min read