[offtopic, not a technical issue] google charging for network traffic from US to EMEA

[kurti500]

Hi all, quick question, maybe I have made setup mistake or conditions have been changed: since a while I get network traffic from US to EMEA charged, not massively (below 1€/month), but as I am located in Germany there is a charge coming in every month and the idea was that the setup is for free ;-) : Network Internet Data Transfer Out from Americas to EMEA Network Internet Data Transfer Out from Americas to China

Anybody else in EMEA experiencing this? Any idea how this can be prevented? Also wondering where the transfer from US to China is coming from.

Thanks

[turnah]

I also had this, I ended up using cloudflare (moved my domain here) as a proxy to geoban regions and the problem has gone away.

I couldn't find a way to do it elegantly within Google, even restricting by ip. I even had the regions blocked within the bitwarden gcloud setup too.

---

From: kurti500 @.> Sent: Monday, January 1, 2024 10:08:54 pm To: dadatuputi/bitwarden_gcloud @.> Cc: Subscribed @.***> Subject: [dadatuputi/bitwarden_gcloud] [offtopic, not a technical issue] google charging for network traffic from US to EMEA (Issue #83)

Hi all, quick question, maybe I have made setup mistake or conditions have been changed: since a while I get network traffic from US to EMEA charged, not massively (below 1€/month), but as I am located in Germany there is a charge coming in every month and the idea was that the setup is for free ;-) : Network Internet Data Transfer Out from Americas to EMEA Network Internet Data Transfer Out from Americas to China

Anybody else in EMEA experiencing this? Any idea how this can be prevented? Also wondering where the transfer from US to China is coming from.

Thanks

— Reply to this email directly, view it on GitHubhttps://github.com/dadatuputi/bitwarden_gcloud/issues/83, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ABBR63MKYQHYDI3E4KOB63TYMMXXJAVCNFSM6AAAAABBJKJSFSVHI2DSMVQWIX3LMV43ASLTON2WKOZSGA3DCNZZG42TMNQ. You are receiving this because you are subscribed to this thread.Message ID: @.***>

[jtognazzi]

Yeah, I also see some amount on the line Network Internet Data Transfer Out from Americas to China

It is in the order of 0.01 USD

So I did not bother much (yet)

But I'm wondering what could be this traffic going out to China... bots traffic probably.

[dadatuputi]

I've noticed the same, 2 months with $.02. Unfortunately, putting the blocking in gcloud will still not eliminate traffic from bot traffic; even the packets that are dropped by ipsec will be charged. Having it outside as some sort of web app firewall (ala Cloudflare @turnah) is the best approach to make it fool-proof.

This month I'll have some time to research some possible methods and write up. There is some prior work done here

[killer23d]

I have about CAD 0.02 every month, not a big deal but the CF approach seems to be a more elegant approach.

Looks like a websocket change for the next version that we need to be prepared for: https://github.com/dani-garcia/vaultwarden/issues/4024

[asardaes]

FWIW, I already use the free tier of Cloudflare for DNS and proxying, and I also get a couple cents charged on some months, though not always. This doesn't include any blocking/firewall, but my understanding was that, through the Cloudflare network, the data center talking to the actual GCE VM would be in a region close to the VM.

However, do you see the "Network Internet Data Transfer" charges in the PDF invoices that Google sends? Because I've never seen anything so detailed there, mine just say "Fee for MONTH YEAR", and sometimes that's 0, sometimes not.

[killer23d]

FWIW, I already use the free tier of Cloudflare for DNS and proxying, and I also get a couple cents charged on some months, though not always. This doesn't include any blocking/firewall, but my understanding was that, through the Cloudflare network, the data center talking to the actual GCE VM would be in a region close to the VM.

However, do you see the "Network Internet Data Transfer" charges in the PDF invoices that Google sends? Because I've never seen anything so detailed there, mine just say "Fee for MONTH YEAR", and sometimes that's 0, sometimes not.

When I check the Cost Breakdown, I always have:

Network Internet Data Transfer Out from Americas to China - $0.02

The CF implementation would be great if the traffic can be proxied.

[asardaes]

Ah I found it now under "Cost table", same as yours. Since I already use the free CF proxy, I suppose that's not enough.

I did configure Countryblock as documented in the wiki, but I guess some requests always slip through, not sure if it can be 100% avoided.

[dadatuputi]

I didn't have the capacity I thought I would to look at this in January. There shouldn't be any charges for inbound data to Google. Any firewall rule added by countryblock will DROP packets, so there should be no outbound to IPs from the countries.

There will be IP subnets not in ipdeny.com's lists that Google will charge exit fees to.

Cloudflare might eliminate some traffic that's using your DNS to scan, but I believe most of the traffic is from systems that scan the entire IPv4 space (think Shodan), so DNS will have little to do with it.

The most airtight solution will require something like Cloudflare Zero Trust VPN (free I think for these purposes), or only whitelisting cloudflare IPs from Google.