I have a vm instance that makes our service in Go, and we want our users to go through an API Gateway before acessign the vm Instance (for monitoring, authentification and other reasons...).
We have bought registered private-acme.com DNS with Google, and the Go service is accessible with this URL : http://private-acme.com:1234/service
The API Gateway has an Open API yaml that redirect to this service, and everything works correctly. The API url is given by the console: https://acme-api-abcdefg123.ew.gateway.dev
So https://acme-api-abcdefg123.ew.gateway.dev/service redirects to http://private-acme.com:1234/service and everything works. But http://private-acme.com:1234/service remains accessible and don't require the API key we have setup on the Gateway
So I wanted to setup a firewall rule on the vm Instance. For the moment, I have a firewall rule named gw-apps with a gw tag, that allows 0.0.0.0/0 range and port 1234.
Unfortunately it seems to me impossible to create a firewall rule that would allow the vm instance to be accessed only by the Api gateway IP. It’s not possible to assign an IP nor an IP range to the API gateway.
The gateway IP is currently 216.239.XXX.YYY, but if I put 216.0.0.0/8 in the firewall instead of 0.0.0.0/0, it fails. Anyway we are not sure the address will start by 216
It’s not neither possible to tag the API Gateway with gw , I don’t know why. It would have allow to create a source filter for the firewall
It is recommended to do what we want with a connector (50$/month...) but it’s only applicable to CloudRun, Cloud Function or App Engine, not API Gateway
Any idea on how to protect my vm Instance ?
