GAE firewall + VPC firewall configuration

[Mike Liu]

Hello,

Can someone chime in on the proper way to utilize network.instance_tag in app.yaml to make a specific app engine flex service private only to the VPC network and google services like cron, task queues, deployment etc?

Outline below:

1. Leave everything to allow in app engine firewall (default rule). Note we have multiple gae flex services only one of which we want to make private.

2. Tag network.name in service app.yaml to the VPC network

3. In VPC network firewall rules allow ingress from google service IPs where destination = instance_tag

In the VPC network firewall config, which IP ranges should be configured to allow ingress to the protected instance_tag?

Found some here: https://cloud.google.com/appengine/docs/flexible/nodejs/creating-firewalls#allowing_requests_from_your_services

I want to allow app deployment, cloud tasks/task queue, cron jobs ingress:

10.1.0.41 app deployment service (says standard env only, what about flex?)

0.1.0.40, 10.0.0.1 URL Fetch service

Cron and task queues seem to be using an internal google protocol to mimic http? So don't need specific firewall rules to allow ingress?

[yka...@google.com]

Currently, allowing specific GAE services is not supported. I was able to find an open Feature Request for this. I recommend starring the issue link to receive email updates.

Allowing app deployment requests is not currently available for flex. Please see these workarounds posted on Stackoverflow by a member of Google Cloud Support for alternative solutions.

Regarding cron and task queues, as you mentioned, these don't need specific rules as they are allowed even when the default rule is set to deny.