10

If I have a GAE Flex application that's only for internal usage and not intended for any public facing uses, what is the best way to secure it? By default, the *.appspot.com domain exposes a public HTTP/S endpoint.

If I set the default App Engine firewall rule for an explicit deny of all HTTP traffic, how can I then access the application from other GCE instances or other GAE Flex apps in other Projects?

I originally thought that editing the app.yaml file to launch the instance into a private VPC with its own GCE Firewall rules (with the default ingress deny) would suffice, but it's still allowing external traffic due to the fact that requests go through a Cloud load balancer IP.

The next option I looked at is Cloud IAP which allows only authenticated users and service accounts to access my application. This might work but, if I need to access my application from a private VPC with no internet access, it wouldn't work if I'm understanding the service correctly since requests would still have to come via HTTP.

So what can I do to ensure that there is absolutely no public access to the app engine while still allowing internal resources to access it?

Improve this question
1
  • did you find an answer to your question? Also where did you learn that "it's still allowing external traffic due to the fact that requests go through a Cloud load balancer IP." A reference link would be nice :)
    – ahong
    May 1, 2020 at 16:45

1 Answer 1

Reset to default
5

The description of you use case makes it suitable for using the App Engine firewall:

Allow only traffic from within a specific network Ensure that only a certain range of IP addresses from specific networks can access your app. For example, create rules to allow only the range of IP addresses from within your company's private network during your app's testing phase...

Allow only traffic from a specific service Ensure that all the traffic to your App Engine app is first proxied through a specific service..

Beginning at Allowing requests from your services there are the instructions on how to create firewall rules.

When you create your firewall rules in app engine, you can choose which IP's to allow or deny access to your app. It is not mandatory to deny all HTTP traffic to all IP's. Take a look at the Example Firewall where some rules are created. Some of them allow traffic to a certain IP's while others deny traffic to other IP's as well:

enter image description here

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .