We have a problem setting correct firewall rules for our different app-engine services on GCP, as it does't seem to be possible.

Our problem is very simple: we have a default app-engine service that should be publicly accessible and acts as a gateway, and all the other services are only internal and are hosted on the same GCP Project.

We tried to set custom networks tags and rules on the VPC firewall sections, but all of those are overruled by the app-engine firewall. Sadly the latest doesn't allow a per service configuration.

Would you know a simple way to do this? Our only solution by now is to put the gateway on a compute engine or in another GCP project..

Given that you are using App Engine Flexible, you can set the network where your service will run by changing the Network Settings in the app.yaml configuration file. In your case, since you have one group of instances that you don't want to be reached, and one instance that will act as a gateway, you can do the following:

1. Create two different networks, and a subnetwork for each one in the region you deem convenient. As well, make sure to enable Private Google access, so you will be always able to connect to GCP APIs without the need of creating new firewall rules. You can set the subnet IP address range to anything as long as it is not already used in your project, I used 10.0.0.0/9 for example. Make sure that the subnetwork zone is the same for both networks.

2. In the network that you don't want traffic from outside GCP, create a firewall rule to deny all ingress traffic to the network.

3. Configure the app.yaml file in your services, by adding:

   network:
     instance_tag: TAG_NAME
     name: NETWORK_NAME
     subnetwork_name: SUBNETWORK_NAME
   

   Your gateway instance should have the NETWORK_NAME and SUBNETWORK_NAME of the network with allowed ingress traffic, while the rest of services the network where you created the previous firewall rule. The TAG_NAME can be any tag you want to give to this machine, I recommend you to use an unique tag for each one of the two groups of services.

4. Redeploy your services.

Now you should be able to send traffic only the service acting as a gateway, while the gateway is able to connect to the rest of services, because you enabled Private Google access in the first point.