Google App Engine Firewall: Restrict access to all services but the default one

About

Asked 15/3, 2018 at 10:11 Answered 20/3, 2018 at 18:10

Solved google-app-engine app-engine-flexible

I have a GAE project (flexible) consisting of 1 default and 2 subservices:

foo.appspot.com
service1.foo.appspot.com
service2.foo.appspot.com

Now I want to use foo.appspot.com as API proxy & auth gateway to the internal services service1 and service2. The proxy itself I wrote and it is working fine.

I am struggling with adjusting the GAE Firewall to forbid incoming world traffic to service1 and service2 because I would like force an API user to send requests to foo.appspot.com. Traffic to the default service foo should be allowed.

It seems I can just enter IPs in the Firewall settings but not service names. The docs says that it should work but does not show how.

Thanks for the help!

Leper answered 15/3, 2018 at 10:11 Comment(0)

App engine Flex environment is built on the Google Compute Engine and consequently, it supports the Virtual Private Cloud networking system. With the VPC networks, you can configure firewall rules that would use Instance Tags to determine the target or source component in a firewall rule. Hence, you simply have to configure the app.yaml files of the target service/version to use the appropriate instance tags.

Thermionic answered 20/3, 2018 at 18:10 Comment(5)

That’s great! Can I also use instance tags in the Google App Engine Firewall UI? It seems it just accepts IP ranges? – Leper 21/3, 2018 at 6:47

The App Engine Firewall is a stripped-down version of the VPC firewall which unfortunately, does not support filter by Instance Tags. Only IP ranges can be used on the App Engine Firewall. This blog link explains the App Engine Firewall in more details. – Thermionic 21/3, 2018 at 13:30

Did anyone actually got this working? The UI suggests that the VPC firewall rule is applied to the AppEngine instance, however the traffic is not being filtered. – Cardiff 19/12, 2018 at 11:17

Yes, but the priority of the VPC rules should be below 1000, otherwise they are not taken into account. See https://mcmap.net/q/826307/-what-are-default-vpc-firewall-rules-for-app-engine-flex – Zeba 29/1, 2019 at 15:56

I never got this to work, to this day. I added network > instance_tag: some-tag in my app.yaml file, but the tag seems to not even be applied to the instances, which explains why my firewall rule based on that tag doesn't work. If I search for App Engine instances having my tag, I can't find any: gcloud app instances list --filter="-tags.items=some-tag". Setting a priority < 1000 on my VPC rule, as suggested above, didn't help. Note: my scenario was slightly different from the OP's: I wanted to restrict access to a Compute Engine instance so as to allow only my App Engine instances. – Annora 14/5, 2019 at 9:52

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags