How to properly configure VPC firewall for App Engine instances?

我们两清 提交于 2021-02-08 05:01:41

问题


We are trying to deploy a micro-service based application using google app engine (mainly flexible instances), having a gateway on the default service and a few Microservices providing the business logic. You might think of it as :

  • foo.appspot.com
  • service1.foo.appspot.com
  • service2.foo.appspot.com

as it is done here

I would like the services to be accessible only from the gateway (and maybe few other machines), and not from the outside, but I couldn't get it to work.

I've been able to set all the services on a given VPC network, adding a rule to "Deny All traffic" incoming in this network, except for the gateway that is tagged and allows everything. (as described in this response here)

This works for runtime, however, when doing so we cannot deploy using gcloud app deploy. (It hangs at the "Updating service" step). I've tried to allow the 22 port, but it seems this is not the one in use. I've also tried to block only the 80 and 443 ports, but now the App Engines service1 and service2 are accessible from this outside again.

How should I configure the firewall to be able to deploy on the App Engine, and restrict access to the services to the gateway only? Is this even possible using the VPC firewall, or should I either use a KCE instance or avoid using GCP infrastructure and sign/verify requests myself?


回答1:


After some further investigation, what you want is not possible in GAE right now.

Here there are some possible workarounds that you may want to try:

  • Use a Bastion VM. With this option, you would have the code for what was your default service in the Bastion VM, and then have your GAE flex with the other 2 services deployed and set there the GAE firewall rule to only allow communication with the Bastion VM.

  • As you said in your question, you could use Kubernetes. Here is a tutorial on how to deploy a containerized web application.

  • Lastly, you could perform your own validation of inbound requests, using standard HTTP headers such as X-Forwarded-For to determine the IP address of the client.




回答2:


One way to do this is by using the firewall controls for App Engine Flexible, which can be used to set rules in the front-end.

If you deny all access to your application (for instance, just changing to deny the default firewall, as shwon in the picture), nothing will access your services, and you will still be able to deploy your application in GAE. Then, you will just have to allow the specific IP ranges to access your application with other firewall rules in GAE.

In this case, you do not even need to have a VPC and create firewall rules there.



来源:https://stackoverflow.com/questions/54442545/how-to-properly-configure-vpc-firewall-for-app-engine-instances

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!