0

I have a service hosted on App Engine flexible that's intended to be internal-facing. I'd like to communicate with it from a Compute Engine instance within my VPC. This instance has no external IP but is in a subnet with private Google access enabled, and I'm able to successfully hit the appspot.com domain from this instance, presumably via this private access.

Is there a way to use App Engine firewall rules to deny all traffic except that originating from my VPC, and this instance in particular? It's unclear to me what IP could be whitelisted in this case.

Winston Huang
  • 27
  • 4

1 Answers1

1

Is there a way. Find here how to create the firewall rules -in order to have an idea of what options are available- and then check the examples in the same page.

I suggest you the first one, which is really similar to what you intend to do. You will have to deny first all ingress TCP traffic and then whitelisting the subnet IP range. The example, which includes tags and TCP access through port 80 provides the following commands: 

gcloud compute firewall-rules create deny-subnet1-webserver-access \
    --network my-network \
    --action deny \
    --direction ingress \
    --rules tcp \
    --source-ranges 0.0.0.0/0 \
    --priority 1000 \
    --target-tags webserver

- - 

gcloud compute firewall-rules create vm1-allow-ingress-tcp-port80-from-subnet1 \
    --network my-network \
    --action allow \
    --direction ingress \
    --rules tcp:80 \
    --source-ranges 10.240.10.0/24 \
    --priority 50 \
    --target-tags webserver

You can also find a conceptual description for Google Cloud Firewall Rules here.

Rubén C.
  • 1,098
  • 6
  • 16
  • Thanks - the docs you pointed to are for VPC firewall rules, which I don't think works in this case, since the traffic to the instances from appspot is coming via the cloud load balancer (see https://stackoverflow.com/a/44082597/9665925). I'm asking about the App Engine HTTP firewall rather than the GCE firewalls. – Winston Huang May 23 '18 at 15:46
  • You are right, my bad. I agree with [Matthew Sachs](https://stackoverflow.com/users/7764352/matthew-sachs) suggestions in the post you mention, which dates from May ‘17 but now there is a [beta](https://cloud.google.com/iap/docs/release-notes#august_31_2017) Identity-Aware Proxy version. Did you have a look into [it](https://cloud.google.com/iap/docs/concepts-overview)? I barely successfully completed [this quickstart](https://cloud.google.com/iap/docs/app-engine-quickstart). – Rubén C. May 28 '18 at 11:48