Google App Engine apps blocked by an organization, any suggestions?

[PK]

This is related to another thread I initiated today. I am pretty convinced now that the following is happening:

1. My customer tries to access my GAE standard app from inside an organization’s network. The organization has some rules in some networking device, that state: If too much traffic goes to an IP address block this IP address for 1 hour.
2. Since we share IP addresses on GAE Standard, if a lot of traffic goes to any of us, by any user in that org, the device is blocking everybody else sharing this IP address
3. Or course my customer just sees that my app does not work and complains to me :-(

This is a pretty big org with layers of admins etc., trying to prove to them that what they are doing is wrong and too draconian, let alone change it in a reasonable amount of time, is probably futile.

I am about to loose a major deal, that I worked really hard to get to this point, any ideas how to go around this problem?? I looked at Cloudflare but they will probably have the same problem since they do not seem to give their customers their own IP either.

Any other suggestions?

Thanks,
PK
www.gae123.com

[Mike Schlanser]

Why not just whitelist the ip range for app engine from inside the orgs network and have it ignore the rule for too much traffic?

Thanks,
Mike

Mike Schlanser | Senior Engineer | Promevo
1720 Wildcat Blvd. Suite 200 | Burlington, KY | 41005
Promevo.com | mike.sc...@promevo.com
Phone: 513.731.3303 x709  | Mobile: 859.609.2995 | Fax: 859-963-3515

--
You received this message because you are subscribed to the Google Groups "Google Cloud Insiders" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-insiders+unsub...@googlegroups.com.
To post to this group, send email to google-cloud-insiders@googlegroups.com.
Visit this group at https://groups.google.com/group/google-cloud-insiders.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-insiders/D180790F-A887-46C7-AD99-F2450B8D4A21%40gae123.com.
For more options, visit https://groups.google.com/d/optout.

[PK]

Kalev:

I understand and I even happen to know what you are talking about, but the reason I went with GAE is so that I do not have to do all that and then keep it up to date... 

Mike:

like I said there is a big IT organization, slowly moving, I am working with my customer to explore this option as well but in the best case it will take a few months to change their policies … assuming he manages to understand what they are doing and convince them…

I have thousands of users and never had a problem. I had heard about this issue but this is the first time one of my users hits it..

Thanks

On Sep 8, 2017, at 5:26 PM, kalev leetaru <kalev.l...@gmail.com> wrote:

App Engine is not my specialty area (I use GCE), but one thought, depending on your application and load, would be to set up a GCE-based proxy (GCE supports dedicated IP's) in front of your GAE app, potentially with GCE HTTPS Load Balancer sitting in front of a cluster of GCE proxies if you need that kind of scalability. 

K 

On Fri, Sep 8, 2017 at 8:13 PM, PK <p...@gae123.com> wrote:

[Attila-Mihaly Balazs]

GAE used to have a feature called VIP (virtual IP) which was mainly meant for setting up SSL if you wanted to support clients which didn't support SNI, but I guess that was deprecated :(

Attila

[Attila-Mihaly Balazs]

Perhaps set up a minimal proxy server on a VPS (or even a GCE instance with a static IP) and use that to forward requests to GAE? Such a server would require minimal setup and upkeep.

Not the ideal solution, but a potential work-around.

Attila

[PK]

Thanks to everybody who got back to me in public or in private.

I have now filed this, please star it, you might need it one day: https://issuetracker.google.com/issues/65579021

I could not find a similar request. I am not even sure when GAE quietly dropped the feature, I do remember as well that at some point in the past when SNI was not widely deployed,  they were offering dedicated IP addresses on GAE Standard. 

PK

[Lorne Kligerman]

Hi PK,

We did deprecate the ability to use a VIP on your custom domain with an SSL certificate a while back.

However we are working towards a solution to this problem.  Nothing more to say at the moment, but I'll send updates on the public issue you logged.

Cheers,

Lorne.

Product Manager - App Engine

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-insiders+unsubscri...@googlegroups.com.

To post to this group, send email to google-cloud-insiders@googlegroups.com.
Visit this group at https://groups.google.com/group/google-cloud-insiders.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-insiders/D180790F-A887-46C7-AD99-F2450B8D4A21%40gae123.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Google Cloud Insiders" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-insiders+unsub...@googlegroups.com.
To post to this group, send email to google-cloud-insiders@googlegroups.com.
Visit this group at https://groups.google.com/group/google-cloud-insiders.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-insiders/FE48F7D3-4448-4FCD-B16F-7CC0C8195146%40gae123.com.

[troberti]

You might want to try some of the alternative cnames for ghs.googlehosted.com, such as ghs46.googlehosted.com which resolves to a different IP for me at least. See https://support.google.com/a/answer/112038?hl=en at the bottom. Obviously no guarantees that works everywhere or stays working.

And yes, we are also very interested in a separate/static IP for our App Engine apps. Currently we use the GCP Load Balancer + nginx reverse proxies workaround, and I really would like to get rid of that.