App Engine: Firewall rules for authenticated GCP workspace users

0
votes

I'm building an extremely lightweight app with streamlit and deploying via GCP App Engine. The app currently is just the official streamlit tutorial "hello world" application. However, my team plans to connect a db and expose some statistical models to function as an internal dashboard.

Currently, the app can be accessed by anyone on the internet. When I navigate to App Engine's "firewall rules" I can specify ranges of IP addresses to allow/deny. I'm not sure that this is the best way to go. My team is growing steadily and so I'd like the app to be accessible by anyone who is an authenticated user of our GCP workspace.

Is there a relatively straightforward means to do this?

2
authenticationgoogle-app-enginegoogle-cloud-platform

2 Answers

1
votes

The best way to allow only authenticated users in GCP to access App Engine is to use Identity-Aware Proxy (IAP) for App Engine, it lets you manage access to applications running in App Engine standard environment and App Engine flexible environment. Here's the complete tutorial using IAP in App Engine

1
votes

Instead of using an IP based approach and Firewall rules you can try to use the Identity Aware Proxy and control the access to your App based on Google Accounts, Google Groups, Service Accounts or G Suite Domain Accounts. There is a complete guide specifically written in Python that you could use to base your application.