app engine firewall - allow services to access each other?

[John Pettitt]

I've been playing the the new firewall beta.  The use case is disallow all traffic except our CDN, essentially origin shielding.  Works great except some of our services access each other and I'd like to be able to put allow rules in for that but I can't be sure of what outbound IP they use.  Is there way of specifying allow for a service?

John

[Kenworth (Google Cloud Platform)]

If the services are coming from the same project, it should be allowed by default and there's no need to put allow rules. Otherwise, let me know which services are involved on your application.

[John Pettitt]

They all use the same primary service address and then dispatch.yaml to route them.  Count the dispatch.yaml be causing the 403’s we’re seeing?  For the same reason I’m trying to use the firewall to protect the origin server I don;t want to publish the service names here.

John

On Sep 26, 2017, at 6:43 PM, 'Kenworth (Google Cloud Platform)' via Google App Engine <google-a...@googlegroups.com> wrote:

If the services are coming from the same project, it should be allowed by default and there's no need to put allow rules. Otherwise, let me know which services are involved on your application.

--
You received this message because you are subscribed to a topic in the Google Groups "Google App Engine" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-appengine/AIG6yyUn8Xg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-appengi...@googlegroups.com.
To post to this group, send email to google-a...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/2db2b348-4881-4996-9ae8-0953009beff5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Kenworth (Google Cloud Platform)]

Hi John,

Correction: GAE Firewall set to disallow traffic will NOT allow traffic from services in the same project. For such a setup, 403s are currently expected. Our engineering team is aware of this current gap in the product which is in the beta state. Unfortunately, there is no ETA on when/if it will be implemented.

A workaround would possibly be to proxy through GCE (a known good host).

[John Pettitt]

Thanks for the update. This issue makes the firewall unusable for our application.  We’ll look at proxying but doing so brings it’s own issues around redundancy.

--
You received this message because you are subscribed to a topic in the Google Groups "Google App Engine" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-appengine/AIG6yyUn8Xg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-appengi...@googlegroups.com.
To post to this group, send email to google-a...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/92bdc1f0-d736-49c0-a9a7-e96fa4cba14c%40googlegroups.com.

[Henk Mollema]

Hi Kenworth,

I was wondering if there is any update regarding this issue? The fact that services within the same project don't have access to each other makes the firewall feature rather inconvenient.

Thanks in advance!

Regards,

Henk

Op donderdag 28 september 2017 02:49:59 UTC+2 schreef Kenworth (Google Cloud Platform):