Google Cloud Endpoints security

2
votes

I'm new to Google Cloud and trying to understand the relationship between a Google Cloud endpoint and a back-end app on App Engine.

It looks like when I deploy my application (gcloud app deploy) I get a URL that looks something like https://[email protected]/path/operation/etc. Is this URL going through the cloud endpoint, or right to the container?

When I call the service in this way I don't see any traffic to the cloud endpoint. In fact when I try to access the service using what I think is the cloud endpoint it just gives me a 404 (https://[email protected]/path/operation/etc). Why can't I access with the endpoint? Permissions?

My initial thought was that the endpoint was something separate that routes traffic to the back-end. However, when I do something like change the security configuration in openapi.yaml and just redeploy the endpoint definition (gcloud endpoints services deploy openapi.yaml), this does not seem to actually have any effect.

For example, the initial deployment had Firebase security. I removed it and redeployed the endpoint definition but security remains on when calling the service. Seems I have to redeploy the back-end to disable security.

Any insight would be appreciated.

3
node.jsgoogle-app-enginegoogle-cloud-platform

3 Answers

0
votes

Is this URL going through the cloud endpoint, or right to the container?

App engines are container based deployments on Google's infrastructure. The url are created when you deploy it and please note its not API.

When I call the service in this way I don't see any traffic to the cloud endpoint

I dont think a Cloud Endpoint is created by default

One way to check if a Cloud Endpoint is created is to check if its API is enabled in your project or a service account is created in IAM page

To configure a Cloud Endpoint for App engine, following this procedure

0
votes

Cloud Endpoint is a security layer in front of your API. It acts as a proxy and performs security checks (based on API Key, OAuth, SAML,...) and routing to the correct Endpoint. The endpoint definition is based on OpenAPI 2 (not 3, be careful!). There is new advance feature like rate limit and soon billing.

Initially integrated to AppEngine, this product has been open sourced and can be deployed on Cloud Run, Cloud Function and on GKE/Kubernetes. A similar paid and more powerful product is Apigee.

I wrote an article for using Endpoint deployed on Cloud Run, with API Key security and which route requests to Cloud Run, Cloud Function and App Engine.

Cloud Endpoint also offers a developer portal to allow your customer, prodiver and developer to view your API specification and to test it dynamically on line.

I hope these elements provide you a better overview of Cloud Endpoint to abstract your underlying API deployment.

0
votes

I believe we need to address a few points before providing the correct way forward:

For your first question:

Is this URL going through the cloud endpoint, or right to the container?

Deploying an application to App Engine will generate an @appspot URL for the app. This URL is used to access the application directly, and it will remain available to the internet unless you enable Cloud IAP, or set any other restrictions to the service.

For your second question:

Why can't I access with the endpoint?

If you are referring to the https://[email protected]/path/operation/etc, there can be a lot of reasons for it to not work, it will depend on which step of the setup process you are.

Normally for setting up Cloud Endpoints with OpenAPI, with an App Engine backend, you need to limit access to the @appspot URL, but also deploy an Extensible Service Proxy (ESP) to Cloud Run to access it later.

Conclusion:

Now, for actually achieving this setup, I suggest you follow the Getting Started with Endpoints for App Engine standard environment.

As per the guide, the following is the full task list required to set Endpoints for an App Engine Standard backend, using Cloud Endpoints:

1 - Configure IAP to secure your app.

2 - Deploy the ESP container to Cloud Run.

3 - Create an OpenAPI document that describes your API, and configure the routes to your App Engine.

4 - Deploy the OpenAPI document to create a managed service.

5 - Configure ESP so it can find the configuration for your service.

Keep in mind that once you set up the ESP configuration, any calls will need to go through the [YOUR-GATEWAY-NAME].a.run.app.

If you happen to be stuck in any particular step, please provide what you have done so far.

I hope this helps.