Connect to Compute Engine From App Engine or CLoud Run with firewall and IAP

0
votes

I have an SFTP server running on Google's Compute Engine. The firewall is setup to allow traffic from the Identity aware proxy.

I can connect to the service using gcloud ssh locally but I can't connect from App engine or Cloud Run. The service accounts for Cloud Run and App engine already have IAP tunnel and Https permissions.

The backend is written in Node using ssh2-sftp-client.

How can I secure the Compute Engine and allow tcp traffic from Cloud Run and App Engine on port 22 to still go through?

1
node.jsgoogle-app-enginegoogle-compute-enginefirewallidentity-aware-proxy

1 Answers

0
votes

There are two possible workarounds:

  • If you use App Engine Standard you can try Serverless VPC Access:

    Serverless VPC Access enables you to connect from your App Engine app directly to Compute Engine VM instances, Memorystore instances, Cloud SQL instances, and any other resources with an internal IP address.

    Unfortunately, Serverless VPC Access isn't available for Cloud Run (more in documentation Services not yet supported) at the moment, but there's a Feature Request at the Google Public Issue Tracker you can join, comment and track progress. Also, such service isn't available for App Engine Flex as well.

  • If you use App Engine Flex or Cloud Run follow steps below:

    1. reserve an external static IP
    2. create f1-micro VM instance with reserved external IP address (this likely fits in the Compute Engine free tier)
    3. create a firewall rule to allow connection to SFTP server from reserved external IP
    4. create a SOCKS proxy by running a ssh client that routes the traffic through created VM like in this example
    5. configure ssh2-sftp-client to use SOCKS Proxy
    6. connect to SFTP