How to restrict compute engine to accept requests

2020-06-03 11:44发布

问题:

I am running my server on Google App engine where i am using nodejs and i have all other services like mongoDB, Elasticsearch and Redis deployed on Compute engine.

Now because of security concerns, on all database instances(MongoDB, ES, Redis) i don't want to accept requests from anywhere but only coming from App engine.

Is there anything i can do using VPN OR Networks Or Firewall(Using Target tags and Source tags) or anything to accept requests only from app engine ??

I read about using tags in firewall section, where i can define app engine instances as source tags and compute engine tags as target tags, so that that my target tags can only listen to source tags.

Please help me guys i am searching for this from quite a long time but haven't found anything useful.

UPDATE

I tried to set my app_engine instance tag and then used that tag to the firewall rule associated with all services(MongoDB, ES, Redis) so that only services will get connected by app engine only, but it is not working now i am not able to connect to my app engine to all of my services.

I have only one network which is default network(auto-created by google), and all my instances e.g MongoDB as well as my app engine are on this same default network.

I added below line in app.yaml

network:
  instance_tag: app-tag

Below i sat source tag as above app-tag in firewall rule For my MongoDB database.

回答1:

You can use app engine flexible. https://cloud.google.com/appengine/docs/flexible/

Then set the serivce machines on the same network with the databases.

In such configuration you don't need to set public IPs to the databases so there won't be access to them from outside of the internal network.