microservices with the edge server pattern on App Engine

[Tamas Kiss]

Hi!

 

With my team we are in a research phase where we are looking for the right cloud solution for our project.

About the project:

- pretty big

- we are already decided that we are going with a microservice architecture

- web application

What we are looking for:

- we would prefer a Severless solution to be able to concentrate on the application logic and on delivering early, but if it is not suited for us then eventually we will consider other options too

- we would like to apply the edge server pattern. To have a dedicated microservice to handle and forward the incoming request to the other (backend) microservices.

Where are we so far:

We are pretty new to GCP and so to the app engine world but we are already experimenting with it for a week now, and we are satisfied with most of the things, like for example the built-in Load Balancing and scaling mechanism. But what we couldn't accomplish so far is hiding our "backend" microservices from the world, they remain always accessible using the provided subdomains (service-id.project-id.appspot.com).  As mentioned we would like if these backend microservices were not accessible to the public internet but only to our dedicated edge server microservice. 

We've already tried some options as the Cloud Endpoints which are very elegant but they are solving the problem only partially because the backend microservices are still remaining public only with an extra auth layer on them. 

So my question is, is it possible to hide the backend microservices from the public web with the app engine solution?

Thank you, Tamas

[George (Cloud Platform Support)]

Hello Tamas, 

You may develop a front-end app that implements the micro-services architecture and implement back-end functionality through endpoints. To avoid exposing your endpoints directly, you may use your own domain, as documented on the "Serving Multiple APIs from a Domain" page. It might prove quite helpful to follow a relevant, comprehensive tutorial, such as "Getting Started with Endpoints Frameworks on App Engine". This way, you can get more insight than by simply reading documentation, and grasp easier some architectural details of consequence in the initial stage of your project. 

[Tamas Kiss]

Hello George,

Thank you for your answer. 

I still don't understand something. If I had my app engine application running with a custom domain, wouldn't be my services still accessible via the out-of-the-box provided service-name.project-id.appspot.com like addresses?

[George (Cloud Platform Support)]

Excellent question! Indeed, the service-name.project-id.appspot.com like addresses should continue being accessible. You asked whether it's possible to hide the back-end microservices from the public. A custom domain would do just that, as the public is not normally aware of your project ID and similar details. In any case, the "extra layer" for the back-end services is normally considered safe enough. You should not have to worry and hide addresses. It may be worthwhile mentioning that hidden addresses can be guessed or inferred somehow. Hiding is not considered safe enough. 

[Nickolas Daskalou]

Tamas,

You can implement application-level logic to only allow requests to your service-name.project-id.appspot.com microservices from your own App Engine projects by inspecting the X-Appengine-Inbound-Appid header.

More information can be found here for Python and here for Java.

Let me know how you go.

Nick

--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscribe@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/8e0975d5-ef4b-4e81-b5ef-8999d9ff21e3%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Tamas Kiss]

Thank you for the help guys!

@Nick: I'm not using the URLFetch API so the X-Appengine-Inbound-Appid header is not available. But it is good to know about this option too. Thanks.