App Engine firewall rules for private access

0
votes

I have a service hosted on App Engine flexible that's intended to be internal-facing. I'd like to communicate with it from a Compute Engine instance within my VPC. This instance has no external IP but is in a subnet with private Google access enabled, and I'm able to successfully hit the appspot.com domain from this instance, presumably via this private access.

Is there a way to use App Engine firewall rules to deny all traffic except that originating from my VPC, and this instance in particular? It's unclear to me what IP could be whitelisted in this case.

1
google-app-enginegoogle-compute-engine

1 Answers

1
votes

Is there a way. Find here how to create the firewall rules -in order to have an idea of what options are available- and then check the examples in the same page.

I suggest you the first one, which is really similar to what you intend to do. You will have to deny first all ingress TCP traffic and then whitelisting the subnet IP range. The example, which includes tags and TCP access through port 80 provides the following commands: 

gcloud compute firewall-rules create deny-subnet1-webserver-access \
    --network my-network \
    --action deny \
    --direction ingress \
    --rules tcp \
    --source-ranges 0.0.0.0/0 \
    --priority 1000 \
    --target-tags webserver

- - 

gcloud compute firewall-rules create vm1-allow-ingress-tcp-port80-from-subnet1 \
    --network my-network \
    --action allow \
    --direction ingress \
    --rules tcp:80 \
    --source-ranges 10.240.10.0/24 \
    --priority 50 \
    --target-tags webserver

You can also find a conceptual description for Google Cloud Firewall Rules here.