Securing Serverless VPC Access (App Engine, to a compute Instance)

[Niall Byrne]

Hi,

Does anyone know why Public IP's are being used by app engine, when communicating with a private address inside a compute instance over a serverless vpc link?

App Engine Instance -> VPC Connector -> VPC -> Compute Instance Running A Service

I am not able to properly firewall the Compute Instance, to lock it down, because it appears App Engine is using a public address to communicate with the instance.

(35.199.224.65 in this case)

I understand I could whitelist all the App Engine IP's but this doesn't seem like a proper solution.

I have been playing around with Firewall rules, but perhaps someone here has already run into this issue?

Cheers,

Niall

[Niall Byrne]

Putting the instance behind a nat and removing it's public IP solved the problem, and provided a more secure solution.