Google App Engine Firewall - block all access except from GCP (including cloud functions)?

4
votes

Google has recently added Firewall (beta) support for Google App Engine.

Is there a way to deny all external access but allow all internal GCP access, including GCP cloud functions running in the same project?

Whereas the Firewall allows you to allow or deny specific IP ranges, there doesn't seem to be a way to ascertain which IP ranges a function might be running from. And using the typical internal IP range and mask, e.g. 10.0.0.0/8 does not seem to allow access from GCP cloud functions.

1
google-app-enginefirewallgoogle-cloud-functionsgcp
I have the exact same question. Were you able to get this working by adding the IP blocks? Thanks!pengz
No I gave up, too complexsongololo

1 Answers

5
votes

  1. The default rule is Allow from *. You can edit that rule and change it to Deny from * to close down all external access via the firewall.

  2. Next, you're going to have to look up all of GCP's IP address blocks and add those into your Allow rules. The instructions for looking them all up are here.

There is an open issue logged for accessing via internal APIs that you can subscribe to follow.