Protecting backend Services with a Firewall

73 views
Skip to first unread message

Joshua Fox

unread,
Oct 11, 2018, 8:02:55 AM10/11/18
to google-a...@googlegroups.com, to...@freightos.com
We have a frontend service (Default Service [Module]) and several backend Services that should only be accessed  by that frontend service, and not from outside  the  GCP, e.g. from a browser.

What is the recommended firewall approach to that?

One of these?
  • GCP Firewall rules that only allow access to the backend Service from the  given frontend Service?
    • Not sure that per-Service control    is supported by  this Firewall.
  • GCP Firewall rules that  allow outside access to the entire Project only through Port 80/443; the backend Services use a different port so that they are inaccessible  from the outside?
    •  This approach is commonly used with GKE.
  • Something with VPCs?



sami...@google.com

unread,
Oct 12, 2018, 5:26:18 PM10/12/18
to Google App Engine

Hello Joshua,


App Engine uses ephemeral IP’s, so a purely “firewall based solution” might not be the most efficient solution in your case. But there are other ways that a solution could be developed.


As per your requirement is concerned, the closest method to what you have described can be found in this article. Your back-end services will automatically deny-all except URL fetch from your own front end service.


Depending on your setup, you can simply implement authentication for your backend services by requiring login in the URL handler. You can use “admin” login restriction to make only the people in the project to have access to your backend.


You can understand more about how services work on App Engine by crafting your own solution if desired.

Joshua Fox

unread,
Oct 15, 2018, 8:14:25 AM10/15/18
to google-a...@googlegroups.com
Thank you.

Another approach uses GAE HTTP headers -- "Requests coming from other App Engine applications will include a header identifying the app making the request:  X-Appengine-Inbound-Appid

So, we could check in a servlet filter receiving HTTP requests that the invoker is another Service in the same app (project).

--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscribe@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/5cbbcab8-b804-4293-a84b-6d239a96f50d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.





Katayoon (Cloud Platform Support)

unread,
Oct 15, 2018, 2:56:21 PM10/15/18
to google-a...@googlegroups.com

You may take a look at this thread which seems to be related to your topic.


Reply all
Reply to author
Forward
0 new messages