Introduction

A GCP Cloud Run service can be deployed successfully and still remain unreachable if traffic is blocked before it reaches the active revision. In most cases, the break happens at the edge of the service: ingress restrictions, IAM authentication, broken custom domain mapping, or a load balancer and serverless NEG that no longer point to the right backend.

Symptoms

  • Requests to the Cloud Run URL or custom domain return 403, 404, 502, or connection failures.
  • The service appears deployed, but users cannot reach it from the browser or API client.
  • Internal callers work while public traffic fails, or public traffic works while internal callers fail.
  • A recent revision was deployed, but the service URL now routes incorrectly or times out.
  • Load balancer logs show backend failures even though the container starts successfully.

Common Causes

  • Cloud Run ingress is restricted to internal traffic or internal-and-load-balancing only.
  • The caller lacks Cloud Run Invoker permission and the service still requires authentication.
  • The custom domain mapping, DNS records, or managed certificate status is incomplete.
  • The listening port in the container does not match the PORT expected by Cloud Run.
  • The active revision fails startup probes, crashes quickly, or never becomes ready.
  • A load balancer, serverless NEG, or URL map points to the wrong backend service or outdated revision path.

Step-by-Step Fix

  1. Start with the exact failing entry point: default run.app URL, custom domain, or external load balancer endpoint. Determine whether all entry points fail or only one of them does.
  2. Check the Cloud Run service ingress setting. If the service should be publicly reachable, ensure ingress is not restricted in a way that blocks the callers you expect.
  3. Review authentication settings. If unauthenticated access is intended, verify the service allows it. If authentication is required, confirm the caller has the right IAM role and is sending valid identity tokens.
  4. Inspect the latest revision status and logs. Look for container startup failures, crashes, port binding issues, or readiness problems that would prevent the revision from serving traffic.
  5. Confirm the application listens on the PORT environment variable provided by Cloud Run. Hardcoded ports are a common reason a healthy deployment never becomes reachable.
  6. If you use a custom domain, verify domain mapping status, DNS records, certificate provisioning, and whether the domain resolves to the expected Front End.
  7. If traffic goes through an external HTTP(S) load balancer, validate the serverless NEG, backend service, URL map, and host/path rules. Make sure requests actually route to the intended Cloud Run service.
  8. Reproduce the request with curl or a browser using the same host header and authentication path as production traffic. This helps separate Cloud Run service issues from edge routing problems.
  9. After fixing the misconfiguration, deploy or promote the corrected revision if needed and confirm the service returns healthy responses on the intended endpoint.
  10. Finish by checking Cloud Logging, load balancer logs, and a real user flow so you know the recovery worked end to end.