Google Cloud Run Deployment Guide
Deploy AIProxyGuard on Google Cloud Run as an LLM security proxy.
| Option | Best For |
|---|---|
| 1. One-Click Deploy | Quick start |
| 2. Cloud Console | Visual interface, more control |
| 3. gcloud CLI | Automation, CI/CD |
Option 1: One-Click Deploy (Easiest)
- Click the button above
- Select your Google Cloud project
- Choose a region
- Click Deploy
- Wait for deployment (~2-3 minutes)
Once deployed, copy your service URL and test:
curl https://aiproxyguard-xxxxx-uc.a.run.app/healthz
Want fleet management? After deployment, add the control plane environment variables. See Connect to Control Plane for details.
Option 2: Cloud Console
Deploy using the Google Cloud Console web interface.
Step 1: Create Service
- Go to console.cloud.google.com/run
- Click Create Service
Step 2: Configure Container
- Select Deploy one revision from an existing container image
- Container image URL:
ghcr.io/ainvirion/aiproxyguard:latest
Docker Hub alternative: Use
docker.io/ainvirion/aiproxyguard:latest
Step 3: Configure Service
- Service name:
aiproxyguard - Region: Select closest to your apps (e.g.,
us-central1) - CPU allocation: CPU is only allocated during request processing (recommended for cost savings)
Step 4: Configure Authentication
- Under Authentication, select Allow unauthenticated invocations
Step 5: Container Settings
Click Container, Networking, Security to expand, then:
- Container port:
8080 - Memory:
512 MiB(can increase if needed) - CPU:
1 - Request timeout:
300seconds - Maximum concurrent requests per instance:
80
Step 6: Environment Variables (Optional)
Under Variables & Secrets, click Add Variable:
| Name | Value |
|---|---|
AIPROXYGUARD_LOG_LEVEL |
info |
Want fleet management? Add the control plane environment variables to get automatic signature updates, analytics, and fleet management. See Connect to Control Plane for details.
Step 7: Deploy
- Click Create
- Wait for deployment (~1-2 minutes)
Step 8: Get Your URL
Once deployed, copy your service URL from the console:
https://aiproxyguard-xxxxx-uc.a.run.app
Test it:
curl https://aiproxyguard-xxxxx-uc.a.run.app/healthz
# {"status": "healthy"}
Option 3: gcloud CLI
Best for automation and CI/CD pipelines.
Prerequisites
Install and authenticate gcloud CLI:
# Install
brew install google-cloud-sdk # macOS
# or: curl https://sdk.cloud.google.com | bash # Linux
# Login and set project
gcloud auth login
gcloud config set project YOUR_PROJECT_ID
Quick Deploy (One Command)
gcloud run deploy aiproxyguard \
--image ghcr.io/ainvirion/aiproxyguard:latest \
--port 8080 \
--region us-central1 \
--allow-unauthenticated
Docker Hub: Use
docker.io/ainvirion/aiproxyguard:latest
With All Options
gcloud run deploy aiproxyguard \
--image ghcr.io/ainvirion/aiproxyguard:latest \
--port 8080 \
--region us-central1 \
--allow-unauthenticated \
--memory 512Mi \
--cpu 1 \
--timeout 300 \
--concurrency 80 \
--min-instances 0 \
--max-instances 10
Get the URL
gcloud run services describe aiproxyguard \
--region us-central1 \
--format 'value(status.url)'
Want fleet management? Add environment variables to your deployment. See Connect to Control Plane for the CLI configuration.
Test Your Deployment
# Health check
curl https://aiproxyguard-xxxxx-uc.a.run.app/healthz
# {"status": "healthy"}
# Test with OpenAI
curl -X POST https://aiproxyguard-xxxxx-uc.a.run.app/openai/v1/chat/completions \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $OPENAI_API_KEY" \
-d '{"model": "gpt-4", "messages": [{"role": "user", "content": "Hello!"}]}'
Connect to Control Plane (Recommended)
Register your proxy with aiproxyguard.com to enable:
- Automatic signature updates (new threat patterns)
- Fleet management dashboard
- Telemetry and analytics
Step 1: Get Your API Key
- Sign up at aiproxyguard.com
- Create a new proxy instance in the dashboard
- Copy your API key
Step 2: Add Environment Variables
Via Cloud Console:
- Go to Cloud Run
- Click on your service → Edit & Deploy New Revision
- Expand Variables & Secrets
- Add environment variables:
| Name | Value |
|---|---|
AIPROXYGUARD_CONTROL_PLANE_ENABLED |
true |
AIPROXYGUARD_CONTROL_PLANE_URL |
https://aiproxyguard.com |
AIPROXYGUARD_CONTROL_PLANE_API_KEY |
your-api-key-here |
- Click Deploy
Via gcloud CLI:
gcloud run services update aiproxyguard \
--region us-central1 \
--set-env-vars \
AIPROXYGUARD_CONTROL_PLANE_ENABLED=true,\
AIPROXYGUARD_CONTROL_PLANE_URL=https://aiproxyguard.com,\
AIPROXYGUARD_CONTROL_PLANE_API_KEY=your-api-key-here
Using Secret Manager (recommended for API keys):
# Create secret
echo -n "your-api-key-here" | gcloud secrets create aiproxyguard-api-key --data-file=-
# Grant access to Cloud Run
gcloud secrets add-iam-policy-binding aiproxyguard-api-key \
--member="serviceAccount:YOUR_PROJECT_NUMBER-compute@developer.gserviceaccount.com" \
--role="roles/secretmanager.secretAccessor"
# Deploy with secret
gcloud run services update aiproxyguard \
--region us-central1 \
--set-env-vars AIPROXYGUARD_CONTROL_PLANE_ENABLED=true \
--set-env-vars AIPROXYGUARD_CONTROL_PLANE_URL=https://aiproxyguard.com \
--set-secrets AIPROXYGUARD_CONTROL_PLANE_API_KEY=aiproxyguard-api-key:latest
Step 3: Verify Registration
View logs in Cloud Console:
- Go to Cloud Run → your service → Logs
- Look for:
Connected to control plane
Or via CLI:
gcloud run services logs read aiproxyguard --region us-central1 --limit 50
Update Your Apps
Point your applications to use the proxy:
Environment variable:
OPENAI_BASE_URL=https://aiproxyguard-xxxxx-uc.a.run.app/openai/v1
In code:
from openai import OpenAI
client = OpenAI(
base_url="https://aiproxyguard-xxxxx-uc.a.run.app/openai/v1",
api_key=os.environ["OPENAI_API_KEY"]
)
Advanced Configuration
Health Checks
Cloud Run automatically checks your container starts and listens on the configured port. For custom health checks:
- Go to service → Edit & Deploy New Revision
- Expand Container section
- Configure Startup probe:
- Type: HTTP
- Path:
/healthz - Initial delay: 0 seconds
- Timeout: 240 seconds
Scaling
gcloud run services update aiproxyguard \
--region us-central1 \
--min-instances 1 \
--max-instances 10 \
--cpu 2 \
--memory 1Gi
| Traffic Level | Min/Max Instances | CPU | Memory |
|---|---|---|---|
| Development | 0/1 | 1 | 512Mi |
| Small Prod | 1/5 | 1 | 512Mi |
| Medium Prod | 1/10 | 2 | 1Gi |
| Large Prod | 2/20 | 2 | 2Gi |
Custom Domain
Via Cloud Console:
- Go to Cloud Run → Manage Custom Domains
- Click Add Mapping
- Select your service
- Enter domain:
proxy.yourdomain.com - Add the DNS records shown
Via gcloud CLI:
gcloud run domain-mappings create \
--service aiproxyguard \
--domain proxy.yourdomain.com \
--region us-central1
Add DNS records as instructed (CNAME or A record depending on domain type).
Monitoring
View logs (Console):
- Go to Cloud Run → your service → Logs
View logs (CLI):
gcloud run services logs read aiproxyguard \
--region us-central1 \
--limit 100
Metrics:
- Go to Cloud Run → your service → Metrics
- View Request count, Latency, Container instances, CPU/Memory utilization
Troubleshooting
Deployment Failed
Check build/deploy logs:
gcloud run services logs read aiproxyguard --region us-central1
Common issues:
- Image pull failed → Verify image URL is correct and public
- Container failed to start → Check port is
8080
Container Not Starting
- Ensure container listens on
0.0.0.0:$PORT(read PORT env var) - Default timeout is 240 seconds for startup
- Check logs for startup errors
High Latency
- Increase min-instances to avoid cold starts
- Increase CPU/memory allocation
- Check region proximity to OpenAI/Anthropic
Cold Starts
For low-latency requirements:
gcloud run services update aiproxyguard \
--region us-central1 \
--min-instances 1
Cleanup
Delete the service:
gcloud run services delete aiproxyguard --region us-central1