Hi folks, we've deployed multiple GAE Flex services in the same project that talk to eachother using the URLs suggested in the documentation (
https://cloud.google.com/appengine/docs/flexible/java/communicating-between-services). This works fine until we update the GAE firewall and change "The default action" from Allow to Deny. We then end up with 403 Forbidden for calls between the services. However, calls from outside GAE to the services succeed (using the same URLs).
Just to make sure, we've also configured the same rules in the regular VPC firewall for the default network, which would make sense since GAE Flex utilizes GCE instances. But no success here too.
The documentation also lists certain request headers that can be added, but the only one that would have been helpful is only available in GAE Standard (X-Appengine-Inbound-Appid).So no point in setting them, AFAICT.
We don't use the default service.
We don't use a dispatch.yml.
We use only the default GAE service accounts to run services, no futher credentials are provided.
We don't use GAE standard.
We're using a custom runtime with OpenJDK11 as base image.
How is the firewall supposed to be configured for inter-service-communication with DENY as the default action? Are missing something?
Thanks in advance!
David