How to restrict the connection between different GAE?

206 views
Skip to first unread message

Caxton Chan

unread,
Oct 4, 2018, 10:17:00 AM10/4/18
to Google App Engine

For some reason I have to create two projects A and B: 
  • A is proxy server bounded with Endpoint and restrict access via API key, and 
  • B is the main API server which does real work. 
  • The client apps are connected to A with specific API key

Is there any way to restrict B can only be accessed from A? (Firewall rule not work in this case because GAE don't have static IP range)

Katayoon (Cloud Platform Support)

unread,
Oct 4, 2018, 2:13:42 PM10/4/18
to Google App Engine

You may use a Service Account which is a special type of Google account that belongs to your application. It is worthwhile to take a look at service account best practices and also this guide shows how to set up authentication for server to server production applications.


Attila-Mihaly Balazs

unread,
Oct 5, 2018, 12:13:18 AM10/5/18
to Google App Engine
Depending on how "A calls B" there are different options. But assuming that you're using HTTPS / the urlfetch service, you'll get an "X-Appengine-Inbound-Appid" header which you can trust (see https://cloud.google.com/appengine/docs/standard/java/issue-requests).

Attila

Caxton Chan

unread,
Oct 5, 2018, 2:10:40 AM10/5/18
to Google App Engine
Hey Katayoon,

Thanks. This is a good point and it seems worth to try.  I found this page demonstrated how to authenticate from a service account. Is this the same thing you talked about?

Caxton Chan

unread,
Oct 5, 2018, 2:13:45 AM10/5/18
to Google App Engine
Hi Attila,

Thanks and this way looks straightforward. Sorry that I forgot to mention that A is GAE flex env and B is GAE std env. Is this also apply to flex one?

Best regards,
Caxton

Narendra Singamaneni

unread,
Oct 5, 2018, 10:29:49 AM10/5/18
to google-a...@googlegroups.com
Hi Team,

  I was configured the app engine in the Standard environment and I am facing the below issue I was tried to resolve this issue but no one not giving the exact solution for this.
Could you please try to help us on this issue ASAP.

Thanks,
Narendra.

--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-appengi...@googlegroups.com.
To post to this group, send email to google-a...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/dbf82f1b-5aab-465c-b8ca-77669026eee7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Appengine standard issuenew.JPG

Katayoon (Cloud Platform Support)

unread,
Oct 5, 2018, 2:43:18 PM10/5/18
to Google App Engine

Hi again,


You can either use "GOOGLE_APPLICATION_CREDENTIALS" environment variable for authenticating server to server or use Cloud Identity-Aware Proxy. The difference is that Identity-Aware Proxy (IAP) can be only applied on App Engine and the Cloud HTTPS Load Balancer, but the mentioned environment variable has a project wide scope and can be used for all the resources/APIs you have in your project.


I should also add that “X-Appengine-Inbound-Appid” header is added to the request by the URLFetch service which is only available in App Engine Standard environment.



Katayoon (Cloud Platform Support)

unread,
Oct 5, 2018, 2:44:56 PM10/5/18
to Google App Engine

Hi Narendras,


I should note that Google Groups are reserved for general questions on Google Cloud Platform-end and not for reporting issues. If you think the issue is on GCP side and not from your code/configuration, I recommend to report it to the Issue Tracker so that we would be able to dig into it efficiently

Reply all
Reply to author
Forward
0 new messages