Wonderful. Great stuff. Can you also show us how to do the deployment if we are using a windows and which command to be used to push to the artifact registry.
This is so good!! I do have a question though, do you know if streamlit's cache data decorator works properly in Cloud Run? I plan to set up a dashboard that runs a query from BigQuery and stores in for 1 week before refreshing. I do not want to accidentally have it run queries left and right
Hi @eej1.07 I have no idea how Streamlit's cache data decorator works but I believe your biggest issue here will be to ensure that they Cloud Run instance does not shut down and thus you lose the cache. Also if more Cloud Run instances are spun up to handle load then each new instance wont have access to the cache. You could always set a minimum number of instances to be up and running at any given point in time. For those instances, depending on when the cache is loaded, each will load the cache and then serve from it. (If that is how it works in Streamlit). Something that might be worth trying instead is to use BigQuery BI Engine to cache the dataset you want to use in that instead. It allows you to load BigQuery data into "memory" and then serve those datasets from it instead of hitting BigQuery itself all the time. This should be much faster and will also reduce your query costs.
Hi Christo, thank you for your awesome video. Should it be possible to set up a url mask mapping to different service without using IAP and just using multiple NEGs to point to individual services. I've attempted it but the streamlit services just end up timing out after a few seconds on the different paths from the domain host. I am wondering if this is the correct way of trying to achieve this path mapping without having an IAP.
Hi @thehubbard, that should be possible. I believe you dont need multiple NEGs but just a serverless NEG with a URL Mask showing something like `//` This will then allow you to hit any Cloud Run service by substituting the Cloud Run apps name for the `` placeholder. IAP is only needed if you want to secure the services you expose through your Load Balancer. Do you have any logs from the Streamlit apps? Something that can trip things up and that is worth checking is that the Streamlit apps are set to serve from the `server.baseUrlPath` when you start them. They should have the baseUrlPath set to include the URL with the service name of the Cloud Run app otherwise it wont work. E.g. if you URL Mask is `/` and the Cloud Run service hosting your streamlit app is named `my-streamlit-app` then the baseUrlPath should be set to `/my-streamlit-app`.
@@christoolivier thank you for your help. It appears to be the fact that my services and baseUrlPaths do not match up. Due to the services having to have globally unique names for google cloud, I had them set to very different names. Rather than the simpler "calculator" for example that I had wanted to use as the baseUrlPath
@@christoolivier Sorry for reaching out again. I'm encountering an issue with integrating HEALTHCHECK into the Dockerfile, particularly when hosting with a URL mask. While I've successfully implemented Healthcheck with Cloud Run without using baseUrlPath, I'm facing failures when I do use it. Error logs indicate that the liveness HTTP probe fails. Strangely, the healthcheck address with a baseUrlPath for the streamlit app works flawlessly when running in a Docker container on a local machine. Any insights or suggestions on resolving this would be greatly appreciated.
@@thehubbard No problem at all. Unfortunately nothing comes to mind immediately. It does seem strange that the test works with a baseUrlPath on local docker but fails when used with the URL mask and baseUrlPath using Cloud Run. It might take a bit of investigation to figure this our so feel free to reach out to me via one of the methods on www.christoolivier.com and we can set up a call. Are you using an HTTP endpoint for the liveness check that is being served by Streamlit?
Great video - thanks a lot, Christo!! Two questions: A) Turns out deploying a single streamlit app this way runs about EUR 17 just for the load balancer / networking and EUR 7 for the compute engine = EUR 25 before any variable cost related to Cloud run. Is this also your experience? Are there any ways to reduce this fixed cost component?? B) Related to the cost arguments, is it possible to use the routing that you discussed at the end to create multiple cloud run apps, each with their own access rights, through a single load balancer? This would at least digress the high fixed cost ......
Hi @bavquant, I am glad you the video was of help. I have not dig into the costs in detail myself. These were normally deployed on projects where other costs would far outstrip the cost of the Streamlit apps being deployed. One way to reduce the fixed cost component is to look into how you set up your Cloud Run instance. Make sure this is not set to always be online and is allowed to fully scale down when not used. That will unfortunately not help with the costs for Load Balancer and networking. The routing I discussed is definitely capable of handling multiple Cloud Run instances with the same Load Balancer. I have not covered that in detail but I have done this on other projects where we had different Cloud Run instances sit behind different paths in the same Load Balancer and have groups/users access defined on each of those routing paths.
Hey Christo, thanks for your video! Very insightful! I have one question, what should I change if I don't have a domain and only want one permanent link from google?
Hi @alexandrecarvalho7922. Could you provide a bit more detail on what you are trying to achieve? Do you want to access the Streamlit Application with a Google generated URL and still have it secured with IAP and accessed over HTTPS? Or are you looking to make the Streamlit Application available via a URL without it being secured for access using IAP?
Hi @@christoolivier . I am trying to deploy a streamlit application only accessible to selected internal users. I don’t have a domain and am not planning on getting one, but it would be good to have a permanent ip to access the application. I reached out because I am trying to do it through the HTTP way (instead of HTTPS as I don’t have a domain), but it is not working.
@@alexandrecarvalho7922 Thank you for the additional information. As far as I am aware you cannot secure Cloud Run deployed apps with IAP unless you have a domain that is registered to the address of the load balancer which is used to serve your Cloud Run apps. That leaves you with two other options. 1) Deploy your Streamlit app to App Engine and secure it via IAP cloud.google.com/iap/docs/enabling-app-engine 2) Deploy your Streamlit app to a Compute Engine machine and require the users of the app to use SSH port forwarding with IAP to give them secure access to the application. cloud.google.com/compute/docs/connect/ssh-using-iap#gcloud cloud.google.com/iap/docs/using-tcp-forwarding#tunneling_ssh_connections Option 1 would be the smoothest for the end users. Option 2 would require them to run the correct command on the terminal to port forward the Streamlit App on the VM to their local machine before they could access it. I would not use Option 2 for any production uses.
When you need a very specific tutorial and for a magical reason someone is there to save you. Thanks so much man.
Glad it was of help!
Wonderful. Great stuff. Can you also show us how to do the deployment if we are using a windows and which command to be used to push to the artifact registry.
I wish this guy would make more videos!!!
You are in luck @stevenlevey :) That is the plan.
Awesome, looking forward seeing more vids from you Christo ❤🎉
Awesome Christo! Subscribed!🎉
Thank you very much @sherryab3964!
This is so cool and i can understand everything.!!! More videos please! I subscribed
Wow cool Christo ❤🎉
Thanks @pybob!
This is so good!! I do have a question though, do you know if streamlit's cache data decorator works properly in Cloud Run? I plan to set up a dashboard that runs a query from BigQuery and stores in for 1 week before refreshing. I do not want to accidentally have it run queries left and right
Hi @eej1.07 I have no idea how Streamlit's cache data decorator works but I believe your biggest issue here will be to ensure that they Cloud Run instance does not shut down and thus you lose the cache. Also if more Cloud Run instances are spun up to handle load then each new instance wont have access to the cache.
You could always set a minimum number of instances to be up and running at any given point in time. For those instances, depending on when the cache is loaded, each will load the cache and then serve from it. (If that is how it works in Streamlit).
Something that might be worth trying instead is to use BigQuery BI Engine to cache the dataset you want to use in that instead. It allows you to load BigQuery data into "memory" and then serve those datasets from it instead of hitting BigQuery itself all the time. This should be much faster and will also reduce your query costs.
Hi Christo, thank you for your awesome video. Should it be possible to set up a url mask mapping to different service without using IAP and just using multiple NEGs to point to individual services. I've attempted it but the streamlit services just end up timing out after a few seconds on the different paths from the domain host. I am wondering if this is the correct way of trying to achieve this path mapping without having an IAP.
Hi @thehubbard, that should be possible. I believe you dont need multiple NEGs but just a serverless NEG with a URL Mask showing something like `//` This will then allow you to hit any Cloud Run service by substituting the Cloud Run apps name for the `` placeholder. IAP is only needed if you want to secure the services you expose through your Load Balancer.
Do you have any logs from the Streamlit apps? Something that can trip things up and that is worth checking is that the Streamlit apps are set to serve from the `server.baseUrlPath` when you start them. They should have the baseUrlPath set to include the URL with the service name of the Cloud Run app otherwise it wont work. E.g. if you URL Mask is `/` and the Cloud Run service hosting your streamlit app is named `my-streamlit-app` then the baseUrlPath should be set to `/my-streamlit-app`.
@@christoolivier thank you for your help. It appears to be the fact that my services and baseUrlPaths do not match up. Due to the services having to have globally unique names for google cloud, I had them set to very different names. Rather than the simpler "calculator" for example that I had wanted to use as the baseUrlPath
@@thehubbard Really glad to hear you got it working.
@@christoolivier Sorry for reaching out again. I'm encountering an issue with integrating HEALTHCHECK into the Dockerfile, particularly when hosting with a URL mask. While I've successfully implemented Healthcheck with Cloud Run without using baseUrlPath, I'm facing failures when I do use it. Error logs indicate that the liveness HTTP probe fails. Strangely, the healthcheck address with a baseUrlPath for the streamlit app works flawlessly when running in a Docker container on a local machine. Any insights or suggestions on resolving this would be greatly appreciated.
@@thehubbard No problem at all. Unfortunately nothing comes to mind immediately. It does seem strange that the test works with a baseUrlPath on local docker but fails when used with the URL mask and baseUrlPath using Cloud Run. It might take a bit of investigation to figure this our so feel free to reach out to me via one of the methods on www.christoolivier.com and we can set up a call.
Are you using an HTTP endpoint for the liveness check that is being served by Streamlit?
Great video - thanks a lot, Christo!! Two questions: A) Turns out deploying a single streamlit app this way runs about EUR 17 just for the load balancer / networking and EUR 7 for the compute engine = EUR 25 before any variable cost related to Cloud run. Is this also your experience? Are there any ways to reduce this fixed cost component?? B) Related to the cost arguments, is it possible to use the routing that you discussed at the end to create multiple cloud run apps, each with their own access rights, through a single load balancer? This would at least digress the high fixed cost ......
Hi @bavquant, I am glad you the video was of help. I have not dig into the costs in detail myself. These were normally deployed on projects where other costs would far outstrip the cost of the Streamlit apps being deployed.
One way to reduce the fixed cost component is to look into how you set up your Cloud Run instance. Make sure this is not set to always be online and is allowed to fully scale down when not used. That will unfortunately not help with the costs for Load Balancer and networking.
The routing I discussed is definitely capable of handling multiple Cloud Run instances with the same Load Balancer. I have not covered that in detail but I have done this on other projects where we had different Cloud Run instances sit behind different paths in the same Load Balancer and have groups/users access defined on each of those routing paths.
Hey Christo, thanks for your video! Very insightful!
I have one question, what should I change if I don't have a domain and only want one permanent link from google?
Hi @alexandrecarvalho7922. Could you provide a bit more detail on what you are trying to achieve?
Do you want to access the Streamlit Application with a Google generated URL and still have it secured with IAP and accessed over HTTPS?
Or are you looking to make the Streamlit Application available via a URL without it being secured for access using IAP?
Hi @@christoolivier . I am trying to deploy a streamlit application only accessible to selected internal users. I don’t have a domain and am not planning on getting one, but it would be good to have a permanent ip to access the application.
I reached out because I am trying to do it through the HTTP way (instead of HTTPS as I don’t have a domain), but it is not working.
@@alexandrecarvalho7922 Thank you for the additional information.
As far as I am aware you cannot secure Cloud Run deployed apps with IAP unless you have a domain that is registered to the address of the load balancer which is used to serve your Cloud Run apps.
That leaves you with two other options.
1) Deploy your Streamlit app to App Engine and secure it via IAP cloud.google.com/iap/docs/enabling-app-engine
2) Deploy your Streamlit app to a Compute Engine machine and require the users of the app to use SSH port forwarding with IAP to give them secure access to the application. cloud.google.com/compute/docs/connect/ssh-using-iap#gcloud
cloud.google.com/iap/docs/using-tcp-forwarding#tunneling_ssh_connections
Option 1 would be the smoothest for the end users.
Option 2 would require them to run the correct command on the terminal to port forward the Streamlit App on the VM to their local machine before they could access it. I would not use Option 2 for any production uses.