Currently I'm using a nodejs App Engine (flexible environment), to do scheduled tasks, like shutting down and starting instances or creating shapshots. The problem is that these App Engines are accessible from everywhere, but I only want them to be accessible within my Google Cloud Network. I can't really seem to get the firewall to work that way. Does anyone know whether there is a way or not to do that?
Asked
Active
Viewed 1,720 times
2
-
would it be sufficient for you to secure the Cron Jobs? – Michael Meyer Oct 10 '17 at 06:49
1 Answers
7
To enforce cron jobs to be triggered just within Google Cloud Network you can check the X-Appengine-Cron: true header of a request and client IP is 0.1.0.1.
From documentation:
You might want to validate that requests to your cron URLs are coming from App Engine and not from another source. You can do so by validating an HTTP header and the source IP address for the request:
Requests from the Cron Service will also contain a HTTP header:
X-Appengine-Cron: trueThe X-Appengine-Cron header is set internally by Google App Engine. If your request handler finds this header it can trust that the request is a cron request. The X- headers are stripped by App Engine when they originate from external sources so that you can trust this header.
- Google App Engine issues cron requests from the IP address 0.1.0.1
Alexander Trakhimenok
- 6,019
- 2
- 27
- 52
-
tried this in Postman, definitely strips out `X-Appengine-Cron`, but not all `X-` headers. I imagine any `X-` headers appengine itself uses, it'll strip. I was able to send `X-AppengineCrn` just fine (to sanity-check postman was working) – Jer_TX Oct 11 '19 at 19:05
-
1That’s the point so only AppEngine can set the header so you can trust it. – Alexander Trakhimenok Oct 13 '19 at 00:18