问题
I have a Google pub/sub subscription that pushes messages for a topic to an AppEngine standard service endpoint.
I want to restrict access to the AppEngine standard service to user IPs and still allow for messages coming from Google Pub/sub.
In the AppEngine firewall, the only option is to allow certain IP ranges.
What is the IP range(s) of Google pub/sub?
回答1:
I've noticed that all the IP requests from Pub/Sub push subscriptions are coming from 2002:axx:xxxx::. As per IETF RFC 3056, 2002::: is an 6to4 range. 2002:axx:xxxx::, then, is translated to 10.XXX.XXX.XXX, which is an range reserved for the internal networking in this case used by Google.
Note: that other services apart from Pub/Sub might [at some point] use range 2002:a00::/24, 10.XXX.XXX.XXX. For example App Engine Flexible. If requests from Flexible are not describable in this particular project then you will have block it and give it a higher priority.
In the end your Firewall entries:
10 Allow 2002:a00::/24 Pub/Sub
default Deny * The default action.
Also, there is an issue created about it in Google's issue-tracker.
来源:https://stackoverflow.com/questions/51172165/what-is-the-ip-ranges-of-google-pub-sub