2

Is there a way to deploy "internal facing" applications in Google App Engine. AWS offers this capability as explained here and so does Azure as explained here.

What is the GCP equivalent for this? It appears App Engine Flexible Environment could be the answer but I could not find a clear documentation on whether Flexible Environment is indeed the way to host intranet facing applications. Is there someone from GCP who can advise?

Update

I tested the solution recommended by Dan recently. Listed below are my observations:

  • App Engine Flex allows deploying to a VPC and this allows VPN scenarios. The VPN scenarios however is for connections (originating) from App Engine to GCP VPCs or to other networks outside GCP which can be on-prem or in another cloud.
  • Access (destined) to the app itself from a GCP or another network is always routed via the internet facing Public IPs. There is no option to access the app at a private IP at the moment.

If there's another update, I will update it here.

Update 28Oct2021

Google has now launched Serverless Network Endpoint Group(NEG)s. With this users can connect AppEngine, Cloud Run & Cloud Function endpoints to a LoadBalancer. However at the moment, you can only use Serverless NEGs with an external HTTP(S) load balancer. You cannot use serverless NEGs with regional external HTTP(S) load balancers or with any other load balancer types. Google documentation for Serverless NEGs is available here.

Cyac
  • 447
  • 3
  • 15
  • 1
    The AWS link in your question isn't working, that might help for clarification. Based on the Azure link it sounds like you want to deploy an app engine application which would then be accessible exclusively from a private network? – Cameron Roberts Feb 15 '18 at 18:19
  • My apologies for not getting back on this earlier. Updated the link. Also found a stackoverflow post [here](https://stackoverflow.com/questions/20973496/amazon-elastic-beanstalk-internal-and-internet-access) about AWS option to do this. – Cyac Feb 12 '19 at 04:15

2 Answers2

2

I'm not sure this meets your requirements, but it's possible to set up an App Engine Standard application (not certain about Flexible) such that it is only accessible to users logged into your G-Suite domain. This is the approach I've used for internal-facing applications in the past, but it only applies if your case involves an entity using G-Suite.

You can set this up under the App Engine application Settings, under Identity Aware Proxy.

In this scenario the application is still operating at a publicly accessible location, but only users logged into your G-Suite domain can access it.

Cameron Roberts
  • 7,127
  • 1
  • 20
  • 32
  • Note that you still need to take measures to restrict access to only authenticated users. – Dan Cornilescu Feb 22 '18 at 22:55
  • Hi @CameronRoberts, thank you for this response. But the need I am trying to address is to avoid the application being accessed over a public network. Something like being able to host an AppEngine app inside a VPC. The answer from Dan Cornilescu below appears to be close to what I am looking for. – Cyac Feb 12 '19 at 04:20
  • @Cameron Roberts, though your answer was not the solution I was looking for in this case it is a useful option to have in some scenarios. Thanks for pointing this out. Really hope a better solution comes out from GCP at some point. – Cyac Oct 30 '19 at 06:48
  • @Cyac This has actually been enhanced also, it's now called "identity aware proxy" and offers much more flexibility than the old "restrict to g-suite domain" functionality did. I haven't dug deeply into it though, so I don't know if it gets closer to solving the problem on your original post here. – Cameron Roberts Oct 30 '19 at 16:38
1

It should be possible with the GAE flexible environment. From Advanced network configuration:

You can segment your Compute Engine network into subnetworks. This allows you to enable VPN scenarios, such as accessing databases within your corporate network.

To enable subnetworks for your App Engine application:

  1. Create a custom subnet network.

  2. Add the network name and subnetwork name to your app.yaml file, as specified above.

  3. To establish a VPN, create a gateway and a tunnel for a custom subnet network.

The standard env GAE doesn't offer access to the networking layer to achieve such goal.

Dan Cornilescu
  • 39,470
  • 12
  • 57
  • 97
  • 1
    @ThorkilVærge, I did not try this out personally but I think this should work. Btw, just noticed that the link in point 2 in answer above may be broken. The app.yaml reference to specify network settings is [here](https://cloud.google.com/appengine/docs/flexible/nodejs/reference/app-yaml) – Cyac Jun 12 '19 at 09:12
  • 1
    @ThorkilVærge, I managed to check this out finally. From what I have seen so far, App Engine Flex environment allows to deploy app into a VPC. As Dan mentions in his answer, this does allow VPN scenarios but from what I understand it only allows VPN access from-appengine-to-VPNnetwork. Additionally I dont think this allows (at this time of writing) to privately access the app engine app itself from a VPN network or from within a Google Cloud VPC. Connections to Appengine app is always routed via internet. Access can be limited to set of restricted Public IPs via Firewall Rules. – Cyac Sep 13 '19 at 10:21
  • Thanks for coming back to me on this! Do you happen to know what those IP addresses are, or where I can read about them? – Thorkil Værge Sep 13 '19 at 10:50
  • It can be any Public IP(s). You can configure allow/deny rules for IP address ranges in App Engine console. Navigation path is GCP Cloud Console -> App Engine -> Firewall rules – Cyac Sep 16 '19 at 06:57