15

I have a GAE project (flexible) consisting of 1 default and 2 subservices:

  • foo.appspot.com
  • service1.foo.appspot.com
  • service2.foo.appspot.com

Now I want to use foo.appspot.com as API proxy & auth gateway to the internal services service1 and service2. The proxy itself I wrote and it is working fine.

I am struggling with adjusting the GAE Firewall to forbid incoming world traffic to service1 and service2 because I would like force an API user to send requests to foo.appspot.com. Traffic to the default service foo should be allowed.

It seems I can just enter IPs in the Firewall settings but not service names. The docs says that it should work but does not show how.

Thanks for the help!

Sebastian
  • 8,952
  • 3
  • 32
  • 30

1 Answers1

4

App engine Flex environment is built on the Google Compute Engine and consequently, it supports the Virtual Private Cloud networking system. With the VPC networks, you can configure firewall rules that would use Instance Tags to determine the target or source component in a firewall rule. Hence, you simply have to configure the app.yaml files of the target service/version to use the appropriate instance tags.

oakinlaja
  • 826
  • 6
  • 10
  • That’s great! Can I also use instance tags in the Google App Engine Firewall UI? It seems it just accepts IP ranges? – Sebastian Mar 21 '18 at 06:47
  • 3
    The App Engine Firewall is a stripped-down version of the VPC firewall which unfortunately, does not support filter by Instance Tags. Only IP ranges can be used on the App Engine Firewall. This blog [link](https://cloudplatform.googleblog.com/2017/10/App-Engine-firewall-now-generally-available.html) explains the App Engine Firewall in more details. – oakinlaja Mar 21 '18 at 13:30
  • 4
    Did anyone actually got this working? The UI suggests that the VPC firewall rule is applied to the AppEngine instance, however the traffic is not being filtered. – Henk Mollema Dec 19 '18 at 11:17
  • 1
    Yes, but the priority of the VPC rules should be below 1000, otherwise they are not taken into account. See https://stackoverflow.com/a/54421763/2298505 – gvo Jan 29 '19 at 15:56
  • I never got this to work, to this day. I added `network` > `instance_tag: some-tag` in my `app.yaml` file, but the tag seems to not even be applied to the instances, which explains why my firewall rule based on that tag doesn't work. If I search for App Engine instances having my tag, I can't find any: `gcloud app instances list --filter="-tags.items=some-tag"`. Setting a priority < 1000 on my VPC rule, as suggested above, didn't help. Note: my scenario was slightly different from the OP's: I wanted to restrict access to a Compute Engine instance so as to allow only my App Engine instances. – TanguyP May 14 '19 at 09:52