问题
We are trying to deploy a micro-service based application using google app engine (mainly flexible instances), having a gateway on the default service and a few Microservices providing the business logic. You might think of it as :
foo.appspot.com
service1.foo.appspot.com
service2.foo.appspot.com
as it is done here
I would like the services to be accessible only from the gateway (and maybe few other machines), and not from the outside, but I couldn't get it to work.
I've been able to set all the services on a given VPC network, adding a rule to "Deny All traffic" incoming in this network, except for the gateway that is tagged and allows everything. (as described in this response here)
This works for runtime, however, when doing so we cannot deploy using gcloud app deploy
. (It hangs at the "Updating service" step). I've tried to allow the 22 port, but it seems this is not the one in use. I've also tried to block only the 80 and 443 ports, but now the App Engines service1 and service2 are accessible from this outside again.
How should I configure the firewall to be able to deploy on the App Engine, and restrict access to the services to the gateway only? Is this even possible using the VPC firewall, or should I either use a KCE instance or avoid using GCP infrastructure and sign/verify requests myself?
回答1:
After some further investigation, what you want is not possible in GAE right now.
Here there are some possible workarounds that you may want to try:
Use a Bastion VM. With this option, you would have the code for what was your default service in the Bastion VM, and then have your GAE flex with the other 2 services deployed and set there the GAE firewall rule to only allow communication with the Bastion VM.
As you said in your question, you could use Kubernetes. Here is a tutorial on how to deploy a containerized web application.
Lastly, you could perform your own validation of inbound requests, using standard HTTP headers such as X-Forwarded-For to determine the IP address of the client.
回答2:
One way to do this is by using the firewall controls for App Engine Flexible, which can be used to set rules in the front-end.
If you deny all access to your application (for instance, just changing to deny
the default firewall, as shwon in the picture), nothing will access your services, and you will still be able to deploy your application in GAE. Then, you will just have to allow the specific IP ranges to access your application with other firewall rules in GAE.
In this case, you do not even need to have a VPC and create firewall rules there.
来源:https://stackoverflow.com/questions/54442545/how-to-properly-configure-vpc-firewall-for-app-engine-instances