How GAE services in separate projects communicate through their respective firewall ?
197 views
Skip to first unread message
Zorg
May 29, 2020, 7:47:14 AM5/29/20
to Google App Engine
We have 2 app engine app (flex and standard) running on separate
projects and we want project A to request project B with https to xxx.appspot.com URL.
Our firewall on both projects Denies all IPs(*) and whitelisted App Engine internal addresss (10.1.0.41, 0.1.0.40, 10.0.0.1 and 0.1.0.30) as explained in the doc.
Yet we receive a "403 error forbidden access" (which disappears when disabling the firewall).
Is there anything else I can do ?
Thank you in advance.
Olu
May 29, 2020, 9:54:36 AM5/29/20
to Google App Engine
As you may already know, GCP Projects represent a trust boundary within an organization. Hence, inter-project communication between App Engine services would require Public IP communication or using Shared VPC[1]. There should be no internal communication between App Engine Services over different projects. Hence, whitelisting App Engine internal IP addresses might not be useful in this situation.
About using Public App Engine IP addresses, as illustrated in this document [1] App Engine hosts services on a dynamic public IP address of a Google load balancer. Due to that, the IP address can be changed any time and any Static IP can not be provided. For outbound services, a large pool of IP addresses are used which you can obtain as outlined in this document[2].
Zorg
May 29, 2020, 10:07:56 AM5/29/20
to Google App Engine
For precision all our services run nodejs
Zorg
May 31, 2020, 1:39:33 PM5/31/20
to Google App Engine
Thank you for your reply Olu.
My goal is to build an app that required some services to be exposed to any public IP and others multiple back-end services closed to any external access. All thoses services are accessed through an home-made api gateway.
I started looking at identity aware proxy but should I ?
My goal is to build an app that required some services to be exposed to any public IP and others multiple back-end services closed to any external access. All thoses services are accessed through an home-made api gateway.
I started looking at identity aware proxy but should I ?
Which strategies would you recommend instead ?
Katayoon (Cloud Platform Support)
Jun 2, 2020, 2:00:20 PM6/2/20
to Google App Engine
Note that, IAP provides a proxy in which the service can be accessed by authenticated users who have the correct Cloud Identity and Access Management (Cloud IAM) role, not per IP. As Olu previously noted, App Engine does not currently provide a way to map static IP addresses to an application.However you may take a look at Serverless VPC Access which makes it possible for your serverless environment to access other resources with an internal IP address.
Otherwise, you may consider using Compute Engine instances so that you can reserve a static external IP address and enforce your firewall rules as per your usecase or create a Compute Engine instance and a proxy as discussed on this Stack Overflow thread.
Reply all
Reply to author
Forward
0 new messages