2

I am building a simple POST handler on GAE in Python that will accept a POST and write it to a Cloud SQL database.

I would like to limit access to this app to a limited number of IPs - non-GAE webservers where the POST originates. Essentially, how to allow POSTS from my IPs and disallow all other traffic?

Seems like a simple and common operation, but I haven't found a solution online that seems to fit. Most GAE authentication and routing packages are built around user auth.

Where should I look for a solution here? What Google keywords should I be using? Is this going to be written into the app itself or should I be focused on another component of GCP for IP access and routing?

Thanks!

ensminger
  • 671
  • 3
  • 6
  • 14
  • How big is this range of IPs? Is it something you can store and perform a simple check for at the time of connection? – tsujin Nov 24 '15 at 15:26
  • Very small. At first it will only be one or two. And yes, store and check is what I envisioned. – ensminger Nov 24 '15 at 15:29
  • In that case, since it's only a few IPs, maybe a firewall rule is a better option here? – tsujin Nov 24 '15 at 15:53
  • Are firewall rules available with Apps Engine, or is this a Compute Engine feature? https://cloud.google.com/docs/permissions-overview?hl=en#h.6ve8js2j7vwq – ensminger Nov 24 '15 at 16:05
  • 4
    you can check remote_addr in the request, try self.request.remote_addr http://stackoverflow.com/questions/4231077/get-ip-address-in-google-app-engine-python and just check if it's in your allowed list before proceeding with the POST. – Paul Collingwood Nov 24 '15 at 16:21
  • It looks like you're also able to restrict access by IP to apps. Relevant links: https://support.google.com/a/answer/6047998?hl=en and https://cloud.google.com/sql/docs/access-control – tsujin Nov 24 '15 at 16:44
  • @PaulCollingwood THAT looks promising. Post as an answer and I'll likely accept it. – ensminger Nov 24 '15 at 16:58
  • @tsujin, I'm aware of the Cloud SQL access controls and I'm using them, actually. They're slick. ...and I don't want to confuse _Google Apps Engine_ with _Google Apps_. (Looks like the support article might apply to the latter.) Thanks for your help! – ensminger Nov 24 '15 at 16:58

1 Answers1

1

All credit to Paul Collingwood for alerting me to the existence of request.remote_addr.

Here is my solution as of now:

ALLOWED_IP = ['173.47.xx.xx1', '173.47.xx.xx2']

class PostHandler(webapp2.RequestHandler):
def post(self):

    # Read the IP of the incoming request
    ip = self.request.remote_addr

    # If the IP is allowed, execute our code
    if ip in ALLOWED_IP:
        # Execute some awesome code

    # Otherwise, slam the door!
    else:
        self.error(403)

I'm not entirely sure that my self.error() usage is appropriate here, but this is working! POST requests made from the allowed IPs are accepted and executed. All others are given a 403.

I'm always eager to hear improvement suggestions.

Community
  • 1
  • 1
ensminger
  • 671
  • 3
  • 6
  • 14
  • 1
    This is a nice way to do what you want, indeed. Another solution would be to use Managed VMs, where you can configure firewall rules like in Compute Engine. Cheers! – Patrice Nov 25 '15 at 16:29
  • How can you configure firewall rules with MVM? – Max Jan 04 '17 at 16:18