6

I wonder if it is possible to use Cloud Armor with GAE Flex? Because in Cloud Armor's documentation, it says that you have to use an HTTPS Load Balancer. Since GAE Flex doesn't have a load balancer, how can we use Cloud Armor with GAE Flex? We have to use a WAF to prevent DDOS attacks. Is it possible to use Cloud Armor with GAE Flex through HTTPS Load Balancer? If so, can you explain how I can achieve this goal?

Thank you.

Cihat Kisa
  • 85
  • 1
  • 7

4 Answers4

5

As per document 1 the only backends supported by HTTP(S) Load Balancer are: MIG, IG, NEGs and storage buckets. Hence, it's not possible to use App Engine Flex with the HHTP(S) Load Balancer.

An HTTP load balancer can only be used for Managed Instance Groups, Instance Groups, Network Endpoint Groups, and Storage Buckets. So you won’t be able to use an HTTP load balancer with App Engine Flex.

However, there are many other options for securing an App Engine application. You can use an App Engine Firewall 2 rule to keep out all traffic except a single service 3 . App Engine also sits behind the Google front-end, which absorbs many basic attacks like SYN floods, IP fragment floods, or port exhaustion. I’m also sending you a document on our best practices for preventing DDOS attacks 4.

Sohail Alvi
  • 380
  • 1
  • 6
  • Thank you for your answer. I use App Engine Firewall, but you can only block and allow IP addresses with it. It doesn't have other features like blocking or allowing by country code, user agent, and request headers. So it's hard to prevent DDOS attacks with only App Engine Firewall since you have to know all IP addresses that attackers use. I hope Google will provide these features soon. – Cihat Kisa May 28 '20 at 15:54
  • 1
    You can now use NEGs with App Engine and Load balancer, the request can be routed via the Load balancer to App Engine. – john mich Mar 08 '21 at 12:56
4

But: https://cloud.google.com/load-balancing/docs/negs/serverless-neg-concepts

A network endpoint group (NEG) specifies a group of backend endpoints for a load balancer. A serverless NEG is a backend that points to a Cloud Run, App Engine, or Cloud Functions service.

A serverless NEG can represent:

  • A Cloud Run service or a group of services sharing the same URL pattern.
  • A Cloud Functions function or a group of functions sharing the same URL pattern.
  • An App Engine app (Standard or Flex), a specific service within an app, or even a specific version of an app.
Neo Anderson
  • 5,957
  • 2
  • 12
  • 29
alfred
  • 41
  • 1
1

Cloud Armour only take traffic from non cdn https lb and on top of that backend service supported by https LB are MIG, IG, Neg and Bucket. Hence its not possible to use HTTPS with app engine

Neelam
  • 517
  • 4
  • 10
0

For securing app engine apart from applying firewall rules is to apply for IAP if you want to restrict by user mode.[1]

[1]https://cloud.google.com/iap/docs/app-engine-quickstart

Neelam
  • 517
  • 4
  • 10