问题
How can I apply a GCP firewall rule tag to an App Engine Flex instance? I have a project where a bastion host is set up with the appropriate firewall rules to only allow ssh from 0.0.0.0/0 to the bh machine. Then the bastion host is the only source that is able to connect via ssh to all project VMs. I need to apply a firewall rule tag "restricted-ssh" to all app engine flex instances to allow ssh in debug mode.
Per documentation: A target, which defines the instances (including GKE clusters and App Engine Flex instances) to which the rule will apply. Source: https://cloud.google.com/vpc/docs/firewalls
Looks like the GCP VPC firewall rules effect app engine flex instance. How do I apply a firewall tag to all flex instances?
回答1:
Inside your app.yaml file, there's an optional network section which has an instance_tag key that seems to be what you're looking for, so you'll end up having something like this (for a sample Python app):
runtime: python
env: flex
entrypoint: gunicorn -b :$PORT main:app
[...]
network:
instance_tag: restricted_ssh
Reference: https://cloud.google.com/appengine/docs/flexible/python/reference/app-yaml#network_settings
来源:https://stackoverflow.com/questions/52745835/app-engine-flex-setting-gcp-network-tag