I was trying this out with a receiving and invoking service in the same region with the following setup

• [Receiving + invoking service] All ingress traffic allowed
• [Receiving service] Authenticated users required
• [Receiving service] Set IAM policy on receiving service to give the invoking service the invoker role

This works as expected.

Next, I created a VPC connector in the same region and modified the setup

• Receiving service: Set allowed ingress to be internal only
• Receiving service: Route all traffic through a VPC connector (it has to call some internal IP address)
• Invoking service: Route all traffic through the VPC connector as well

That was when it broke.

Cloud Logging showed that the URL was resolved successfully: [proxy] start: GET url=https://svc-hash-region.a.run.app/

However, each call was hit with a proxy timeout thereafter: http: proxy error: dial tcp x.x.x.x:443: i/o timeout

Did I misconfigure something, or could it be the way the request passes through the VPC connector VMs?

Could be an issue with runsd, have you tried this setup without runsd and see if it works?

Thanks for the suggestion, I tried it without runsd too and got the same issue. Some debugging made me realize that the problem was with my VPC connector, as my script created a shared VPC connector instead of one for a standalone VPC. Closing the issue.