.. _2026-04-27-cloud-function-security-hardening_release:

=================================================================================
2026-04-27 - Cloud Functions Locked Down to Internal Traffic Only
=================================================================================

Release
==================
AgileData.io - Tighter Infrastructure Security: Backend Functions No Longer Publicly Reachable

Our backend Cloud Functions are now restricted to internal Google Cloud traffic only. They are exclusively triggered by internal Pub/Sub messages. This significantly reduces the attack surface of our processing infrastructure.

Previously, Cloud Functions were reachable via HTTPS endpoints, which required careful authentication controls to prevent abuse. By removing the public endpoint entirely and routing all invocations through Google Cloud Pub/Sub (an internal Google network service), we've eliminated that exposure at the infrastructure level rather than relying solely on application-layer checks. Eventarc triggers are also now restricted to internal ingress with enforced HTTPS, closing any remaining external access paths.

This change is entirely behind the scenes — it has no impact on how AgileData behaves from your perspective. Data processing continues to work exactly as before, just through a more secure internal pathway.

**What's New:**

* Cloud Functions restricted to internal ingress only — no public HTTPS endpoints
* All function invocations routed exclusively through internal Pub/Sub messages
* Eventarc triggers enforced to use internal ingress with HTTPS
* Default URL flag explicitly enabled to maintain correct internal routing

**What this means for you:**

* Stronger infrastructure security with no change to platform behaviour
* Reduced attack surface for backend processing workloads
* Compliance-friendly architecture that follows the principle of least exposure

Last Refreshed
===========================
*Doc Refreshed: 2026-04-27*