How to set up private communication between Google Cloud Scheduler and App Engine?

1
votes

I have deployed a Google App Engine App.

The App is triggered once a day by App Engine cron job.

The App Engine Firewall Rules is set to 'Deny' to keep it private. The Firewall doesn't block App Engine cron job.

Now I want to replace App Engine cron job with Google Cloud Scheduler (Cloud Scheduler is easier to use since it has a pause function).

But the App Engine Firewall blocks Cloud Scheduler. So in order to make it work, I need to set Firewall to 'Allow' to make it publicly accessible.

Is there a way to set up a private communication between them to make my app only accessible by Cloud Scheduler?

2
google-app-enginegoogle-cloud-platformgoogle-cloud-scheduler
Just create a rule to allow your VPC's IP range(e.g. 10.128.0.0/9) or subnet's IP range(e.g. 10.128.0.0/20). It allows your internal accesses only. Is that work?SeungwooLee
I was thinking about IPs. So I need to set up VPC?Vincent
Unless you touched anything about VPC, you're already using the default VPC network. You can check it at VPC networks pannel. If you've created App engine and Scheduler in the same project/region, They exists in same VPC IP range.SeungwooLee

2 Answers

1
votes

You can't know, it's a serverless product and you can't attach it to your VPC nor a public IP (yet, I hope this will change soon!). You can allow a Google public IP range. But in this case, anyone on Google Cloud will be able to reach your App Engine service.

That's why one of Google moto is "Don't trust the network", and I recommend you to use feature such as IAP instead of IP filtering with firewall rules.

0
votes

I accidentally found the solution.

Cloud Scheduler - Create a Job - Target chooses App Engine HTTP.

Same as corn job, App Engine firewall doesn't block this.