You have a perfectly tuned service running on Cloud Run, until traffic spikes and things get… unpredictable. Requests queue, connections drop, and you start explaining to your SRE why “serverless” still needs a proxy. That’s when Cloud Run HAProxy stops being a curiosity and becomes a necessity.
Cloud Run abstracts away servers, but not networking. HAProxy, on the other hand, lives for it. It’s a fast, configurable load balancer built for routing precision and high availability. Pairing the two gives you control where Cloud Run hides it. You get predictable connection handling, smarter routing, and tighter security boundaries without managing compute nodes yourself.
How the integration actually works
Think of Cloud Run HAProxy as a relay. Incoming requests hit HAProxy first. It terminates TLS, applies routing rules, sets request limits, then forwards clean traffic to one or more Cloud Run revisions. Identity-aware proxies or IAM-bound connections stay intact because Cloud Run handles the last hop with Google’s own auth layer. The result is a workflow with control at the edge and elasticity at the core.
If you’re using HAProxy in front of multiple Cloud Run services, configure backends for each service URL and use dynamic DNS resolution. That way, scaling events in Cloud Run never break your load balancer. Use health checks that align with Cloud Run’s concurrency model to avoid false negatives during cold starts.
Best practices that save pain later
- Always terminate SSL at HAProxy, then re-encrypt to Cloud Run if compliance demands it.
- Cache DNS aggressively but not blindly. Refreshing every 30 seconds catches revision shifts.
- Keep config files small and versioned. Over‑templating leads to debugging purgatory.
- Audit your auth layer regularly. OIDC or identity tokens work, but stale keys do not.
- Use metrics from both HAProxy and Cloud Run to tune concurrency and latency thresholds jointly.
Why teams care about Cloud Run HAProxy
- Reliable load balancing across ephemeral containers.
- Lower latency on first byte and TLS handshake.
- Clearer observability data via unified logs and counters.
- Simplified rollout control using header-based routing.
- Stronger security boundaries between external clients and Cloud Run endpoints.
Developers love it because it flattens the ops curve. You stop wrestling with per‑service networking quirks and start shipping features faster. CI/CD pipelines can redeploy HAProxy configs with every environment, keeping traffic policy in code. Debugging also gets easier since HAProxy’s logs show exactly where a request died, not just that it disappeared.
Platforms like hoop.dev turn those access rules into guardrails that enforce policy automatically. Instead of managing proxy configs by hand, you define intent once and let identity, context, and least privilege rules flow through every service call. It keeps the humans happy and the auditors calmer.
Quick answer: how do I secure Cloud Run HAProxy endpoints?
Use mutual TLS, scoped identity tokens, and IAM conditional policies to limit who can hit backend URLs. This combination creates a zero‑trust perimeter around services exposed through HAProxy while preserving Cloud Run’s managed infrastructure benefits.
Cloud Run HAProxy is not just a workaround for missing knobs. It’s a clean pattern for anyone who wants serverless without surrendering control.
See an Environment Agnostic Identity-Aware Proxy in action with hoop.dev. Deploy it, connect your identity provider, and watch it protect your endpoints everywhere—live in minutes.