2

I have a Google Cloud VM instance running a REST API server.

I want to remove all public access to the microservice VM and i only want Firebase - which represents my frontend server to have access to the microservice server on the VM.

My thought was to block all access to the VM and allocate an IP in an internal virtual private network, so that it is accessable by the Firebase server.

I started researching VPC (Virtual Private Connectors) here: https://firebase.google.com/docs/storage/gcp-integration

However, the documentation is not very good and it is about Google Cloud Storage.

Is it possible to achive this functionality with Firebase and Google Cloud VM instance?

Priyashree Bhadra
  • 3,182
  • 6
  • 23
user1584421
  • 3,499
  • 11
  • 46
  • 86
  • Are you using Cloud functions as frontend server? please elaborate more about your architecture – Jan Hernandez Jul 20 '21 at 15:14
  • Both Frontend (Firebase) and backend (Google Cloud VM) can read/write to Google Cloud – user1584421 Jul 21 '21 at 07:44
  • To summarise your question, you are developing a mobile app using Firebase as front end and you are using Compute Engine which runs REST API as backend so that your Firebase app can access the backend service you build. But you only want a dedicated connection between the two. Correct? – Priyashree Bhadra Jul 21 '21 at 11:40
  • Close enough but Firebase is not a mobile application. The Firebase is not a mobile application, but rather the frontend server of my overall application. The Firebase server makes RESTful API calls to endpoints in the (backend) flask server that does the work. You are correct, i want to make sure that the backend server can only get accessed by the Firebase application. – user1584421 Jul 21 '21 at 12:15

2 Answers2

2
  • Step 1 : Create a custom mode private VPC network in Google Cloud by following the below steps in [1]
  • Step 2 : Select your existing Google Cloud VM instance and configure it to have a private IP by following the below steps in [2]
  • Step 3 : Create a Serverless VPC Access connector in Google Cloud Console by following the steps in [3]
  • Step 4 : Edit your Cloud functions to add the connector we created in step 3 following the steps in [4]
  • Step 5 : To add the connector to Firebase functions follow the stackoverflow answer(and its comments) in [5]

[1]https://cloud.google.com/vpc/docs/using-vpc#create-custom-network [2]https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address#how_to_reserve_a_static_internal_ip_address [3]https://cloud.google.com/functions/docs/networking/connecting-vpc#create-connector [4]https://cloud.google.com/vpc/docs/configure-serverless-vpc-access#functions [5]https://stackoverflow.com/a/55825894/15803365

Priyashree Bhadra
  • 3,182
  • 6
  • 23
1

What you can do here is use a JSON Web Token(JWT), a signed JWT. The secret for signing will be there both on your server side and on Firebase Functions. As a best practice store your secret in Google Cloud KMS, whenever you need the secret, access it from there.

Let me briefly explain the process and why I think it's the best choice for you.

For systems running outside of a Compute Engine called "Host1" (Firebase Server) and a Compute Engine instance called ''VM1” ( Backend Server), VM1 can connect to Host1 and validate the identity of that instance with the following process:

  • VM1 establishes a secure connection to Host1 over a secure connection protocol of your choice, such as HTTPS.
  • VM1 requests its unique identity token from the metadata server and specifies the audience of the token. In this example, the audience value is the URI for Host1. The request to the metadata server includes the audience URI so that Host1 can check the value later during the token verification step.
  • Google generates a new unique instance identity token in JWT format and provides it to VM1. The payload of the token includes several details about the instance and also includes the audience URI. Read Token Contents for a complete description of the token contents.
  • VM1 sends the identity token to Host1 over the existing secure connection. Host1 decodes the identity token to obtain the token header and payload values.
  • Host1 verifies that the token is signed by Google by checking the audience value and verifying the certificate signature against the public Google certificate.
  • If the token is valid, Host1 proceeds with the transmission and closes the connection when it is finished. Host1 and any other systems should request a new token for any subsequent connections to VM1.

You can refer to the Verifying the instance identity documentation for more details.

Priyashree Bhadra
  • 3,182
  • 6
  • 23
  • So it that compicated huh? Can't i omit the JWT approach and attach a static IP and whitelist that? Similar to this approach https://stackoverflow.com/questions/65688064/unexpected-error-when-trying-to-set-up-a-vpc-for-my-firebase-cloud-functions-to – user1584421 Jul 21 '21 at 14:36
  • Yes this approach is using [VPC Serverless Connector](https://cloud.google.com/vpc/docs/configure-serverless-vpc-access) but you have to have a serverless environment like Cloud Functions, Cloud Run, App Engine standard environment on your Firebase server because this connection makes it possible for your serverless environment only to access Compute Engine VM instances. – Priyashree Bhadra Jul 21 '21 at 15:04
  • In that case I would suggest, Create a VM Instance with Google Compute. Reserve Static Address through Google Cloud and assign it to the Instance created. Assign domain of website hosted with Firebase to the Instance. Call Cloud Functions to hit Web Server with Static Address whitelisted. – Priyashree Bhadra Jul 21 '21 at 15:10
  • Thank you! I can confirm that the Firebase is serverless. In that case, should i use the information from your last comment? – user1584421 Jul 21 '21 at 15:12
  • Yes sure you can. If you think that my answer helped you, please consider accepting it (✔️). I'd really appreciate it. Thanks! – Priyashree Bhadra Jul 21 '21 at 15:23
  • I had to cancel the acceptance of your answer since i am encountering problems, and the answer is now different with the comment you posted. More specifically: "Create a VM Instance - Google Compute". DONE "Reserve Static Address through Google Cloud and assign it to the Instance created". The VM instance will have a static IP? I thought the Firebase would have static IP (from the Stack overflow question i sent you). How do i do that? With VPC? "Assign domain of website hosted with Firebase to the Instance". How? – user1584421 Jul 23 '21 at 11:52
  • "Call Cloud Functions to hit Web Server with Static Address whitelisted". By Cloud Functions you mean the Firebase server? How exactly do i do that?. Is it easy to make another answer covering those topics? Thank you very much! – user1584421 Jul 23 '21 at 11:52
  • The answer (in your comment) is very different to both the original answer, and the Stack Overflow link i sent earlier - with the individual who had a similar request with mine. He uses VPC Settings in the Firebase side. – user1584421 Jul 23 '21 at 12:01
  • I misunderstood your question. Please check the answer I posted now. – Priyashree Bhadra Jul 29 '21 at 11:54