4

We have a problem setting correct firewall rules for our different app-engine services on GCP, as it does't seem to be possible.

Our problem is very simple: we have a default app-engine service that should be publicly accessible and acts as a gateway, and all the other services are only internal and are hosted on the same GCP Project.

We tried to set custom networks tags and rules on the VPC firewall sections, but all of those are overruled by the app-engine firewall. Sadly the latest doesn't allow a per service configuration.

Would you know a simple way to do this? Our only solution by now is to put the gateway on a compute engine or in another GCP project..

Caner
  • 57,267
  • 35
  • 174
  • 180
Antoine Dussarps
  • 469
  • 1
  • 5
  • 17

2 Answers2

0

Given that you are using App Engine Flexible, you can set the network where your service will run by changing the Network Settings in the app.yaml configuration file. In your case, since you have one group of instances that you don't want to be reached, and one instance that will act as a gateway, you can do the following:

  1. Create two different networks, and a subnetwork for each one in the region you deem convenient. As well, make sure to enable Private Google access, so you will be always able to connect to GCP APIs without the need of creating new firewall rules. You can set the subnet IP address range to anything as long as it is not already used in your project, I used 10.0.0.0/9 for example. Make sure that the subnetwork zone is the same for both networks.

  2. In the network that you don't want traffic from outside GCP, create a firewall rule to deny all ingress traffic to the network.

  3. Configure the app.yaml file in your services, by adding:

    network:
  instance_tag: TAG_NAME
  name: NETWORK_NAME
  subnetwork_name: SUBNETWORK_NAME

    Your gateway instance should have the NETWORK_NAME and SUBNETWORK_NAME of the network with allowed ingress traffic, while the rest of services the network where you created the previous firewall rule. The TAG_NAME can be any tag you want to give to this machine, I recommend you to use an unique tag for each one of the two groups of services.

  4. Redeploy your services.

Now you should be able to send traffic only the service acting as a gateway, while the gateway is able to connect to the rest of services, because you enabled Private Google access in the first point.

Joan Grau Noël
  • 3,084
  • 12
  • 21
  • Instead of creating two network, what about creating only one network and making a rule using the instance_tag? – gvo Jan 29 '19 at 13:13
  • Why do we need to "make sure that the subnetwork zone is the same for both networks?" – ahong May 01 '20 at 11:32
0

I spent a really long time messing with firewall settings and network configurations to achieve this. Specifically: have one service act as a gateway and have other services be reachable only from there.

Eventually I was browsing the app engine services page and found a setting right there to change the ingress for my service... it's literally just one option and I'm probably an idiot for missing it.

Here are the docs that explain it: https://cloud.google.com/appengine/docs/standard/nodejs/application-security#ingress_controls

So in short, just set your internal service to internal only and you're done (unless I'm missing something).

Jas Laferriere
  • 804
  • 10
  • 12