3

We want to deploy two App Engine services inside one Google Cloud project (one would handle external HTTPS requests and the other one shall handle receive traffic from the first service). Communication between these two services is done over mTLS using self-signed certificates (the second service authenticates the first one based on the client certificate provided during handshake).

If I understand correctly we are not able to expose other than HTTP traffic via VERSION_ID-dot-SERVICE_ID-dot-PROJECT_ID.REGION_ID.r.appspot.com domain name and communication between the services shall be carried out using internal network (VPC). And this also lowers security risks associated with exposure of the internal traffic (although the traffic is secured).

We were able to connect from one instance of the first service to one instance of the other service using internal IP address. But we don't quite understand how to properly route traffic from an instance of the first service to one of the instances of the second one. Can this be done via a VPC connector or should there be some TCP load balancer?

Fedor
  • 1,392
  • 1
  • 17
  • 30

1 Answers1

3

You have to use a combinaison of both:

  • Use serverless VPC connector on the first service for routing all the traffic originated from this first service, to your VPC
  • Create a NEG (Network Endpoint Group) on the subnet range of your second service
  • Use an internal Global load balancer for routing the traffic to the NEG of the second service

You can also choose to not do this and to secure the second service only with IAP. Of course, the IP and DNS will be publicly accessible, but only account explicitly authorized will be able to reach it. All the other request will be discarded by GFE (Google Front End).

This "zero trust" capability is trendy at Google. You don't rely on the network, but on the authentication mechanism. I'm fan of it!

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76