What is the difference between App Engine Firewall and a VPC Firewall?

[Parth Mishra]

If you launch a GAE Flex application into a VPC subnet that has its own Firewall rules, how do they interact with any existing App Engine Firewall rules? What is the point of being able to specify a VPC for an app engine instance? 

[Navi Aujla (Google Cloud Support)]

Hello Parth, 

GAE flex environment is built on the Google compute engine and supports VPC networking environment. GCE Firewall rules can be used to determine the target or source component to allow or restrict traffic based on instance network tags. For more information, can refer to this documentation. Application access control can be managed through the flex instance network tags in conjunction with the GCE firewall rules.  

On other hand, GAE firewall rules applies to all resources of the App Engine application including application serving on GAE flex instances. Here is the more detailed information on allowing requests from your services using GAE firewall rules. In brief, both GCE firewall rules based on network tags for the GAE flex instances and GAE firewall rules would needs to pass for traffic flow to serve the application hosted on GAE platform. 

In addition, defining the VPC network for an GAE flex instance provides flexibility to communicate with the GCE instances within the same VPC network using the internal network, enables for the VPN scenarios and also port forwarding. Also, provide more granularity for access control using network instance tags in conjunction with the firewall rules applicable to the defined target tags. For more information, check this documentation. 

I hope it helps.