How to properly configure VPC firewall for App Engine instances?

2
votes

We are trying to deploy a micro-service based application using google app engine (mainly flexible instances), having a gateway on the default service and a few Microservices providing the business logic. You might think of it as :

  • foo.appspot.com
  • service1.foo.appspot.com
  • service2.foo.appspot.com

as it is done here

I would like the services to be accessible only from the gateway (and maybe few other machines), and not from the outside, but I couldn't get it to work.

I've been able to set all the services on a given VPC network, adding a rule to "Deny All traffic" incoming in this network, except for the gateway that is tagged and allows everything. (as described in this response here)

This works for runtime, however, when doing so we cannot deploy using gcloud app deploy. (It hangs at the "Updating service" step). I've tried to allow the 22 port, but it seems this is not the one in use. I've also tried to block only the 80 and 443 ports, but now the App Engines service1 and service2 are accessible from this outside again.

How should I configure the firewall to be able to deploy on the App Engine, and restrict access to the services to the gateway only? Is this even possible using the VPC firewall, or should I either use a KCE instance or avoid using GCP infrastructure and sign/verify requests myself?

2
google-app-enginefirewallvpc
Are you trying to run gcloud app deploy from the Google Cloud Shell?Nahuel Varela
I'm running it from my terminal, it works well when I remove the VPC rule, and it doesn't when I put it back.gvo
You can deploy to your gateway instance, but you get an error when trying to deploy to your other services ?Nahuel Varela
Right, since my GW is accessible it works normally for deployment as well, but the other applications cannot be deployed, unless I remove the "denyall" rule on the VPC.gvo

2 Answers

2
votes

After some further investigation, what you want is not possible in GAE right now.

Here there are some possible workarounds that you may want to try:

  • Use a Bastion VM. With this option, you would have the code for what was your default service in the Bastion VM, and then have your GAE flex with the other 2 services deployed and set there the GAE firewall rule to only allow communication with the Bastion VM.

  • As you said in your question, you could use Kubernetes. Here is a tutorial on how to deploy a containerized web application.

  • Lastly, you could perform your own validation of inbound requests, using standard HTTP headers such as X-Forwarded-For to determine the IP address of the client.

1
votes

One way to do this is by using the firewall controls for App Engine Flexible, which can be used to set rules in the front-end.

If you deny all access to your application (for instance, just changing to deny the default firewall, as shwon in the picture), nothing will access your services, and you will still be able to deploy your application in GAE. Then, you will just have to allow the specific IP ranges to access your application with other firewall rules in GAE.

enter image description here

In this case, you do not even need to have a VPC and create firewall rules there.