How to secure connection between different GAEs?

Question

For some reason I need to create two GAEs with project A and B:

A(flex env) is a proxy server bounded with Endpoint and restrict access with API key.
B(standard env) is real server which does real jobs.(B cannot apply Endpoint framework)
Client only awares proxy server address and send all requests to A

Now I would like to secure connection between A and B. In other words, B is only accessible from A. Is there any way to achieve it? (Firewall not work here because GAE has not static IP range.)

sorry that I didn't mention that A is flex environment – Caxton Oct 05 '18 at 16:02 — Caxton, Oct 05 '18 at 16:02

score 1 · Accepted Answer · answered Oct 04 '18 at 07:29

If you want to determine the identity of the App Engine app that is making a request to your App Engine app, you can use the request header X-Appengine-Inbound-Appid. This header is added to the request by the URLFetch service and is not user modifiable, so it safely indicates the requesting application's ID, if present.

In your application handler, you can check the incoming ID by reading the X-Appengine-Inbound-Appid header and comparing it to a list of IDs allowed to make requests.

Note: The X-Appengine-Inbound-Appid header is only set if the call is made to the appspot.com domain. If the app has a custom domain, this header will not be set.

https://cloud.google.com/appengine/docs/standard/go/appidentity/#asserting_identity_to_other_app_engine_apps

This should work the same for all App Engine standard environments.

sorry that I didn't mention that A is flex environment; is this solution still suitable? — Caxton, Oct 05 '18 at 16:05

How to secure connection between different GAEs?

1 Answers1

Linked