How to build a private service on flex env ?

[yishung chiou]

Here's the scenario , I want to build an app with 3-tiers , frontend/beckend/database .

(1) Only frontend allows external HTTP request from internet . 

(2) frontend/backend are developed based on docker so I have to deploy them to flex environment.

Here's the experiments I've done

(1) deploy frontend as "defau't" service , and tag instances "frontend"

(2) deploy backend as "backend" service , and tag instances "backend"

Finally I get two services deployed and two PUBLIC endpoints ,

https://[myproject-id].appspot.com

https://backend-dot-[myproject-id].appspot.com

Now frontend can issue request to backend via "http://backend-dot-[myproject-id].appspot.com"

But that's not what I desired , I want a backend service that can only be accessed by fronend , 

and all network traffics between frontend/backend should only happen within VPC.

I've looked up some documents , like firewall rule and dispatch.yaml but seems no help.

It will be very appreciated if someone can provide the tips.

many thanks.

[Kenworth (Google Cloud Platform)]

You can add an authentication layer to your application so that only a properly authorized client can access your API. One of the most popular option is the use of OAuth 2.0. Here is Getting Started with Authentication article or this OAuth 2.0 Web Server Applications article.

[Vincent Lerouvillois]

I'm sorry but that answer is not acceptable. OP clearly said he doesn't want its backend service to be accessed via Internet.

I have the same requirement as the OP, and I have been researching for some time now. I fear that this requirement is not supported out of the box by App Engine. Can you please confirm or not?

I guess I will stick with Kubernetes to achieve my goals?

Thanks